OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Problems with natd and simple firewall
From: Stephen Montgomery-Smith (stephenmath.missouri.edu)
Date: Tue Jul 25 2000 - 19:59:05 CDT

Mike Hoskins wrote:
>
> On Tue, 25 Jul 2000, Mike Hoskins wrote:
>
> > Aye... A thoroughly-commeneted 'dynamic' rc.firewall option may be the
> > best thing to come out of all this.
>
> And, along those lines... Comments on the following, please. It attempts
> to mimic 'simple' as closely as possible and use compatible terminology
> for ease of comparison.
>

> + ${fwcmd} add allow ip from ${oip} to any keep-state
> + ${fwcmd} add allow ip from ${inet}:{$imask} to any keep-state
> +
> .....................
> + # Allow DNS queries out in the world
> + ${fwcmd} add pass udp from any 53 to ${oip}
> + ${fwcmd} add pass udp from ${oip} to any 53
> +
> + # Allow NTP queries out in the world
> + ${fwcmd} add pass udp from any 123 to ${oip}
> + ${fwcmd} add pass udp from ${oip} to any 123
> +

I don't think the DNS and NTP stuff is necessary. Aren't they
both covered by the first two rules?

------

Also, shouldn't NTP be
> + ${fwcmd} add pass udp from any 123 to ${oip} 123
> + ${fwcmd} add pass udp from ${oip} 123 to any 123
and how about for the DNS stuff:
> + # Allow DNS queries out in the world
> + ${fwcmd} add pass udp from ${my-name-server} 53 to ${oip}
> + ${fwcmd} add pass udp from ${oip} to ${my-name-server} 53 

-- 
Stephen Montgomery-Smith
Department of Mathematics, University of Missouri, Columbia, MO 65211
Phone 573-882-4540, fax 573-882-1869
http://www.math.missouri.edu/~stephen  stephenmath.missouri.edu

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message