Date: Sun, 3 Aug 2008 13:11:11 -0400 From: David Schultz <das@FreeBSD.ORG> To: Daniel Gerzo <danger@FreeBSD.ORG>, src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/etc rc.firewall Message-ID: <20080803171111.GA69767@zim.MIT.EDU> In-Reply-To: <20080717202051.GA27450@zim.MIT.EDU> References: <200807172000.m6HK0iIh018197@repoman.freebsd.org> <20080717202051.GA27450@zim.MIT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't think I ever heard anything back about this, and it still
doesn't look right. Do you agree?
On Thu, Jul 17, 2008, David Schultz wrote:
> On Thu, Jul 17, 2008, Daniel Gerzo wrote:
> > @@ -194,6 +194,7 @@
> > ${fwcmd} add deny tcp from any to any setup
> >
> > # Allow DNS queries out in the world
> > + ${fwcmd} add pass tcp from me to any 53 setup keep-state
> > ${fwcmd} add pass udp from me to any 53 keep-state
> >
> > # Allow NTP queries out in the world
> > @@ -294,6 +295,7 @@
> > ${fwcmd} add pass tcp from any to any setup
> >
> > # Allow DNS queries out in the world
> > + ${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state
> > ${fwcmd} add pass udp from ${oip} to any 53 keep-state
> >
> > # Allow NTP queries out in the world
>
> Hmm, it doesn't look like this could possibly work, unless I'm
> missing something. Did you test it?
>
> In one case the rule you added comes after an 'add pass tcp from
> any to any setup', and in the other case it comes after an 'add
> deny tcp from any to any setup', so in both cases, the line you
> added should be ineffectual.
>
> Furthermore, I don't believe there's any reason to use keep-state
> with TCP. The rule to allow packets for already-established
> connections suffices.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080803171111.GA69767>