cvs commit: src/etc rc.firewall

David Schultz das at FreeBSD.ORG
Thu Jul 17 20:20:32 UTC 2008


On Thu, Jul 17, 2008, Daniel Gerzo wrote:
> @@ -194,6 +194,7 @@
>  	${fwcmd} add deny tcp from any to any setup
>  
>  	# Allow DNS queries out in the world
> +	${fwcmd} add pass tcp from me to any 53 setup keep-state
>  	${fwcmd} add pass udp from me to any 53 keep-state
>  
>  	# Allow NTP queries out in the world
> @@ -294,6 +295,7 @@
>  	${fwcmd} add pass tcp from any to any setup
>  
>  	# Allow DNS queries out in the world
> +	${fwcmd} add pass tcp from ${oip} to any 53 setup keep-state
>  	${fwcmd} add pass udp from ${oip} to any 53 keep-state
>  
>  	# Allow NTP queries out in the world

Hmm, it doesn't look like this could possibly work, unless I'm
missing something. Did you test it?

In one case the rule you added comes after an 'add pass tcp from
any to any setup', and in the other case it comes after an 'add
deny tcp from any to any setup', so in both cases, the line you
added should be ineffectual.

Furthermore, I don't believe there's any reason to use keep-state
with TCP. The rule to allow packets for already-established
connections suffices.


More information about the cvs-src mailing list