Fix some glaring insecurities in the prototype firewall configurations.

pass udp from any 53 to ${oip} allows an attacker to access ANY local port by simply binding his local side to 53. The state keeping mechanism is the correct way to allow DNS replies to go back to their source.
svn path=/head/; revision=72772
2025-01-01 12:19:28 +00:00 · 2001-02-20 19:54:31 +00:00 · 2001-02-20 19:54:31 +00:00 · 5b9c7d3e5b · 2020-12-20 02:59:44 +00:00
commit 5b9c7d3e5b
parent 25801a0e8b
1 changed files with 4 additions and 8 deletions
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@ -168,12 +168,10 @@ case ${firewall_type} in
 	${fwcmd} add deny tcp from any to any setup

 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from any 53 to ${ip}
-	${fwcmd} add pass udp from ${ip} to any 53
+	${fwcmd} add pass udp from ${ip} to any 53 keep-state

 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from any 123 to ${ip}
-	${fwcmd} add pass udp from ${ip} to any 123
+	${fwcmd} add pass udp from ${ip} to any 123 keep-state

 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@ -270,12 +268,10 @@ case ${firewall_type} in
 	${fwcmd} add pass tcp from any to any setup

 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from any 53 to ${oip}
-	${fwcmd} add pass udp from ${oip} to any 53
+	${fwcmd} add pass udp from ${oip} to any 53 keep-state

 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from any 123 to ${oip}
-	${fwcmd} add pass udp from ${oip} to any 123
+	${fwcmd} add pass udp from ${oip} to any 123 keep-state

 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel