cvs commit: src/etc rc.firewall

[David Schultz]

I don't think I ever heard anything back about this, and it still
doesn't look right. Do you agree?

On Thu, Jul 17, 2008, David Schultz wrote:
> On Thu, Jul 17, 2008, Daniel Gerzo wrote:
> > @@ -194,6 +194,7 @@
> >  	${fwcmd} add deny tcp from any to any setup
> >  
> >  	# Allow DNS queries out in the world
> > +	${fwcmd} add pass tcp from me to any 53 setup keep-state
> >  	${fwcmd} add pass udp from me to any 53 keep-state
> >  
> >  	# Allow NTP queries out in the world
> > @@ -294,6 +295,7 @@
> >  	${fwcmd} add pass tcp from any to any setup
> >  
> >  	# Allow DNS queries out in the world
> > +	${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state
> >  	${fwcmd} add pass udp from ${oip} to any 53 keep-state
> >  
> >  	# Allow NTP queries out in the world
> 
> Hmm, it doesn't look like this could possibly work, unless I'm
> missing something. Did you test it?
> 
> In one case the rule you added comes after an 'add pass tcp from
> any to any setup', and in the other case it comes after an 'add
> deny tcp from any to any setup', so in both cases, the line you
> added should be ineffectual.
> 
> Furthermore, I don't believe there's any reason to use keep-state
> with TCP. The rule to allow packets for already-established
> connections suffices.