From 5b9c7d3e5bfe0cb32aa723aeb5eeca7cb986cb70 Mon Sep 17 00:00:00 2001 From: Nick Sayer Date: Tue, 20 Feb 2001 19:54:31 +0000 Subject: [PATCH] Fix some glaring insecurities in the prototype firewall configurations. pass udp from any 53 to ${oip} allows an attacker to access ANY local port by simply binding his local side to 53. The state keeping mechanism is the correct way to allow DNS replies to go back to their source. --- etc/rc.firewall | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/etc/rc.firewall b/etc/rc.firewall index fb7a7f83d33..82f1b2e3030 100644 --- a/etc/rc.firewall +++ b/etc/rc.firewall @@ -168,12 +168,10 @@ case ${firewall_type} in ${fwcmd} add deny tcp from any to any setup # Allow DNS queries out in the world - ${fwcmd} add pass udp from any 53 to ${ip} - ${fwcmd} add pass udp from ${ip} to any 53 + ${fwcmd} add pass udp from ${ip} to any 53 keep-state # Allow NTP queries out in the world - ${fwcmd} add pass udp from any 123 to ${ip} - ${fwcmd} add pass udp from ${ip} to any 123 + ${fwcmd} add pass udp from ${ip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel @@ -270,12 +268,10 @@ case ${firewall_type} in ${fwcmd} add pass tcp from any to any setup # Allow DNS queries out in the world - ${fwcmd} add pass udp from any 53 to ${oip} - ${fwcmd} add pass udp from ${oip} to any 53 + ${fwcmd} add pass udp from ${oip} to any 53 keep-state # Allow NTP queries out in the world - ${fwcmd} add pass udp from any 123 to ${oip} - ${fwcmd} add pass udp from ${oip} to any 123 + ${fwcmd} add pass udp from ${oip} to any 123 keep-state # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel -- 2.45.2