Date: Fri, 16 Feb 2001 21:50:20 -0800 From: Nick Sayer <nsayer@quack.kfu.com> To: Gordon Tetlow <gordont@bluemtn.net> Cc: Trevin Chow <tmchow@sfu.ca>, FreeBSD Stable <freebsd-stable@FreeBSD.ORG> Subject: Re: Can't Telnet but can SSH? Message-ID: <3A8E111C.9060100@quack.kfu.com> References: <Pine.BSF.4.31.0101170041540.13539-100000@sdmail0.sd.bmarts.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gordon Tetlow wrote: > > allow tcp from any to ${oip} 53 setup > allow udp from any to ${oip} 53 > allow udp from ${oip} 53 to any This is _exceedingly_ insecure. This allows anyone to bind any instrument of destruction they wish to their machine on port 53 and something more dangerous on your inside -- perhaps port 2049 (NFS)? The proper solution to the problem is the stateful filtering in ipfw. Something like this: ipfw add check-state ipfw add pass udp from any to any out xmit ${oif} keep-state ipfw add pass ip from any to any out xmit ${oif} ipfw add pass tcp from any to any established At this point you can add a series of tcp setup passes for allowed incoming connections. Such as: ipfw add pass tcp from any to ${smtp_serv} 25 setup ipfw add pass udp from any to ${dns_serv} 53 setup ipfw add pass tcp from any to ${dns_serv} 53 setup ipfw add pass tcp from any to ${www_serv} 80 setup ... and so on That's not a complete firewall by any means. You'll want to add anti-spoofing and other sanity checks. This rule fragment also obviates the need for any named.conf games to restrict the source port of DNS queries. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A8E111C.9060100>