From owner-freebsd-stable Tue Oct 19 19:27:46 1999 Delivered-To: freebsd-stable@freebsd.org Received: from s01.arpa-canada.net (s01.arpa-canada.net [209.104.122.2]) by hub.freebsd.org (Postfix) with ESMTP id 7B800185D9 for ; Tue, 19 Oct 1999 19:27:30 -0700 (PDT) (envelope-from matt@BabCom.ORG) Received: by s01.arpa-canada.net (Postfix, from userid 1001) id 70F21B888; Tue, 19 Oct 1999 22:27:29 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by s01.arpa-canada.net (Postfix) with ESMTP id 6B322B; Tue, 19 Oct 1999 22:27:29 -0400 (EDT) Date: Tue, 19 Oct 1999 22:27:29 -0400 (EDT) From: matt X-Sender: matt@s01.arpa-canada.net To: Bryan Talbot Cc: FreeBSD-STABLE Subject: Re: ipfw rule wrong in rc.firewall(?) In-Reply-To: <4.2.0.58.19991019191102.00a7b7a0@ekimaphost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 19 Oct 1999, Bryan Talbot wrote: [...] : BTW, the solution above to allow UDP packets which originate from any : machines port 53 is pretty weak. Any datagram from any host will pass : through your firewall as long as it originates from port 53. This is a : pretty common thing to check for when probing firewalls, I'm sure. I agree- but what other options do I have if I want anyone to be able to query the domains my nameserver hosts? I'll be the first to admit that firewalls are not my forte, and this one is not meant to be hyper-secure (it's a public server in every way) but more meant to be able to selectivly deny Bad Things(tm) without it affecting anything that needs to be running. This rule still assumes that UDP packets coming from port 53 are actually packets related to named, with my luck someone will write a UDP flooder that sends from port 53, if they haven't already- It's such an imperfect universe. I'm at a loss for a better solution that will not whack DNS. : Get some sleep and turn on firewall logging so you can see why packets are : being rejected/accepted. Terrific idea, and bed is exactly where I am headed right now. Speaking of ipfw logging, am I the only person that finds ipfw logging into dmesg very annoying? =) I think I read somewhere that this was being redone for 4.0(?) : -Bryan Your help is appreciated, thank you. -Matt [...] -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message