./[EMAIL PROTECTED] wrote: > ${fwcmd} add allow udp from any 1024-65535,53 to any 53 > ${fwcmd} add allow udp from any 53 to any 1024-65535
That ruleset is a really bad idea. Imagine the following scenario: You run a vulnerable service (bind, sendmail, you name it), Joe Haxor launches a exploit against that service and creates a bindshell on port 1337. Now all he has to do is use port 53 as source and automagically trespasses your firewall settings. Always use *stateful* firewalling, and never allow anything not strictly necessary. Btw, zone transfers use TCP, so you'd have to allow that as well. Cheers, -- Miguel Mendez <[EMAIL PROTECTED]> http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"