Date: Tue, 19 Oct 1999 22:27:29 -0400 (EDT) From: matt <matt@BabCom.ORG> To: Bryan Talbot <btalbot@ucsd.edu> Cc: FreeBSD-STABLE <stable@FreeBSD.ORG> Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <Pine.BSF.4.20.9910192222160.14029-100000@s01.arpa-canada.net> In-Reply-To: <4.2.0.58.19991019191102.00a7b7a0@ekimaphost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Oct 1999, Bryan Talbot wrote: [...] : BTW, the solution above to allow UDP packets which originate from any : machines port 53 is pretty weak. Any datagram from any host will pass : through your firewall as long as it originates from port 53. This is a : pretty common thing to check for when probing firewalls, I'm sure. I agree- but what other options do I have if I want anyone to be able to query the domains my nameserver hosts? I'll be the first to admit that firewalls are not my forte, and this one is not meant to be hyper-secure (it's a public server in every way) but more meant to be able to selectivly deny Bad Things(tm) without it affecting anything that needs to be running. This rule still assumes that UDP packets coming from port 53 are actually packets related to named, with my luck someone will write a UDP flooder that sends from port 53, if they haven't already- It's such an imperfect universe. I'm at a loss for a better solution that will not whack DNS. : Get some sleep and turn on firewall logging so you can see why packets are : being rejected/accepted. Terrific idea, and bed is exactly where I am headed right now. Speaking of ipfw logging, am I the only person that finds ipfw logging into dmesg very annoying? =) I think I read somewhere that this was being redone for 4.0(?) : -Bryan Your help is appreciated, thank you. -Matt [...] -- "If the primates that we came from had known that someday politicians would come out of the...the gene pool, they'd a stayed up in the trees and written evolution off as a bad idea. Hell, I always thought the opposable thumb was overrated." -Sheridan, "A Distant Star" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.20.9910192222160.14029-100000>