Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Oct 1999 22:27:29 -0400 (EDT)
From:      matt <matt@BabCom.ORG>
To:        Bryan Talbot <btalbot@ucsd.edu>
Cc:        FreeBSD-STABLE <stable@FreeBSD.ORG>
Subject:   Re: ipfw rule wrong in rc.firewall(?)
Message-ID:  <Pine.BSF.4.20.9910192222160.14029-100000@s01.arpa-canada.net>
In-Reply-To: <4.2.0.58.19991019191102.00a7b7a0@ekimaphost>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 19 Oct 1999, Bryan Talbot wrote:
[...]
 
: BTW, the solution above to allow UDP packets which originate from any 
: machines port 53 is pretty weak.  Any datagram from any host will pass 
: through your firewall as long as it originates from port 53.  This is a 
: pretty common thing to check for when probing firewalls, I'm sure.

I agree- but what other options do I have if I want anyone to be able to
query the domains my nameserver hosts? I'll be the first to admit that
firewalls are not my forte, and this one is not meant to be hyper-secure
(it's a public server in every way) but more meant to be able to selectivly
deny Bad Things(tm) without it affecting anything that needs to be running.

This rule still assumes that UDP packets coming from port 53 are actually
packets related to named, with my luck someone will write a UDP flooder
that sends from port 53, if they haven't already- It's such an imperfect
universe. I'm at a loss for a better solution that will not whack DNS.

: Get some sleep and turn on firewall logging so you can see why packets are 
: being rejected/accepted.

Terrific idea, and bed is exactly where I am headed right now. Speaking of
ipfw logging, am I the only person that finds ipfw logging into dmesg very
annoying? =) I think I read somewhere that this was being redone for 4.0(?)

: -Bryan

Your help is appreciated, thank you.

-Matt

[...]
--
"If the primates that we came from had known that someday politicians
 would come out of the...the gene pool, they'd a stayed up in the trees
 and written evolution off as a bad idea. Hell, I always thought the
 opposable thumb was overrated."
        -Sheridan, "A Distant Star"



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.20.9910192222160.14029-100000>