Date: Sun, 3 Aug 2008 13:11:11 -0400 From: David Schultz <das@FreeBSD.ORG> To: Daniel Gerzo <danger@FreeBSD.ORG>, src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.firewall Message-ID: <20080803171111.GA69767@zim.MIT.EDU> In-Reply-To: <20080717202051.GA27450@zim.MIT.EDU> References: <200807172000.m6HK0iIh018197@repoman.freebsd.org> <20080717202051.GA27450@zim.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't think I ever heard anything back about this, and it still doesn't look right. Do you agree? On Thu, Jul 17, 2008, David Schultz wrote: > On Thu, Jul 17, 2008, Daniel Gerzo wrote: > > @@ -194,6 +194,7 @@ > > ${fwcmd} add deny tcp from any to any setup > > > > # Allow DNS queries out in the world > > + ${fwcmd} add pass tcp from me to any 53 setup keep-state > > ${fwcmd} add pass udp from me to any 53 keep-state > > > > # Allow NTP queries out in the world > > @@ -294,6 +295,7 @@ > > ${fwcmd} add pass tcp from any to any setup > > > > # Allow DNS queries out in the world > > + ${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state > > ${fwcmd} add pass udp from ${oip} to any 53 keep-state > > > > # Allow NTP queries out in the world > > Hmm, it doesn't look like this could possibly work, unless I'm > missing something. Did you test it? > > In one case the rule you added comes after an 'add pass tcp from > any to any setup', and in the other case it comes after an 'add > deny tcp from any to any setup', so in both cases, the line you > added should be ineffectual. > > Furthermore, I don't believe there's any reason to use keep-state > with TCP. The rule to allow packets for already-established > connections suffices.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080803171111.GA69767>