ipfw keep-state (ASAP anwser need)
Miguel Mendez
flynn at energyhq.es.eu.org
Tue Dec 9 07:49:40 PST 2003
./chael at southgate.ph.inter.net wrote:
> ${fwcmd} add allow udp from any 1024-65535,53 to any 53
> ${fwcmd} add allow udp from any 53 to any 1024-65535
That ruleset is a really bad idea. Imagine the following scenario: You
run a vulnerable service (bind, sendmail, you name it), Joe Haxor
launches a exploit against that service and creates a bindshell on port
1337. Now all he has to do is use port 53 as source and automagically
trespasses your firewall settings. Always use *stateful* firewalling,
and never allow anything not strictly necessary. Btw, zone transfers use
TCP, so you'd have to allow that as well.
Cheers,
--
Miguel Mendez <flynn at energyhq.es.eu.org>
http://www.energyhq.es.eu.org
PGP Key: 0xDC8514F1
More information about the freebsd-questions
mailing list