Re: ipfw keep-state (ASAP anwser need)
./[EMAIL PROTECTED] wrote: > ${fwcmd} add allow udp from any 1024-65535,53 to any 53 > ${fwcmd} add allow udp from any 53 to any 1024-65535 That ruleset is a really bad idea. Imagine the following scenario: You run a vulnerable service (bind, sendmail, you name it), Joe Haxor launches a exploit against that service and creates a bindshell on port 1337. Now all he has to do is use port 53 as source and automagically trespasses your firewall settings. Always use *stateful* firewalling, and never allow anything not strictly necessary. Btw, zone transfers use TCP, so you'd have to allow that as well. Cheers, -- Miguel Mendez <[EMAIL PROTECTED]> http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw keep-state (ASAP anwser need)
Have you perhaps deleted your rules? Check with ipfw list and make sure they are all there. Use /var/log/security to find which rule is denying the packets. If it's the default rule 65535, then your allow rules are somehow incorrect. - Original Message - From: "Gregory Edigarov" <[EMAIL PROTECTED]> Subject: Re: ipfw keep-state (ASAP anwser need) > On Tue, 09 Dec 2003, Rob wrote: > > > ipfw add 4100 allow udp from me to any 53 keep-state > > ipfw add 4200 allow udp from any to me 53 keep-state > It doesn't work. > > > What does /var/log/security show? > > it shows that all udp traffic to 53 port of any computer was denied. > > > It worked exactly like I've show for a very long time, but a week > ago something has broken. What is the other possibilities? > > -- > With best regards, > Gregory Edigarov > -- > profi.kharkov.uaSystems Administrator > -- > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw keep-state (ASAP anwser need)
I would suggest ipfw add 4100 allow udp from me to any 53 keep-state ipfw add 4200 allow udp from any to me 53 keep-state which allows either side to initiate the connection. You will also need TCP versions of these rules (DNS uses both). If you use ipfw2, which is the default in 5.x, you can combine them into the same rule like so: ipfw add 4100 allow ( tcp or udp ) from me to any 53 keep-state ipfw add 4200 allow ( tcp or udp ) from any to me 53 keep-state What does /var/log/security show? - Original Message - From: "Gregory Edigarov" <[EMAIL PROTECTED]> Subject: ipfw keep-state (ASAP anwser need) > Hello, > > The folowing is a fragment of my rc.firewall which must allow all > traffic in and out of my named. > > > ipfw add 4100 allow udp from me to any 53 keep-state > ipfw add 4200 allow udp from any to me 53 > ipfw add 4300 allow udp from me 53 to any > --- > This is a fragment from my kernel configuration: > --- > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #enable logging to > syslogd(8) > options IPFIREWALL_FORWARD #enable transparent proxy > support > options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity > options IPDIVERT#divert sockets > options IPSTEALTH > options ICMP_BANDLIM > options DUMMYNET > options BRIDGE > options IPFW2 > --- > It doesn't work. What am I missing? > > -- > With best regards, > Gregory Edigarov > -- > profi.kharkov.uaSystems Administrator > -- > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipfw keep-state (ASAP anwser need)
${fwcmd} add allow udp from any 1024-65535,53 to any 53 ${fwcmd} add allow udp from any 53 to any 1024-65535 - Original Message - From: "Gregory Edigarov" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 09, 2003 5:32 PM Subject: ipfw keep-state (ASAP anwser need) > Hello, > > The folowing is a fragment of my rc.firewall which must allow all > traffic in and out of my named. > > > ipfw add 4100 allow udp from me to any 53 keep-state > ipfw add 4200 allow udp from any to me 53 > ipfw add 4300 allow udp from me 53 to any > --- > This is a fragment from my kernel configuration: > --- > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #enable logging to > syslogd(8) > options IPFIREWALL_FORWARD #enable transparent proxy > support > options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity > options IPDIVERT#divert sockets > options IPSTEALTH > options ICMP_BANDLIM > options DUMMYNET > options BRIDGE > options IPFW2 > --- > It doesn't work. What am I missing? > > -- > With best regards, > Gregory Edigarov > -- > profi.kharkov.uaSystems Administrator > -- > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ipfw keep-state (ASAP anwser need)
Hello, The folowing is a fragment of my rc.firewall which must allow all traffic in and out of my named. ipfw add 4100 allow udp from me to any 53 keep-state ipfw add 4200 allow udp from any to me 53 ipfw add 4300 allow udp from me 53 to any --- This is a fragment from my kernel configuration: --- options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100#limit verbosity options IPDIVERT#divert sockets options IPSTEALTH options ICMP_BANDLIM options DUMMYNET options BRIDGE options IPFW2 --- It doesn't work. What am I missing? -- With best regards, Gregory Edigarov -- profi.kharkov.uaSystems Administrator -- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"