From harlan@pfcs.com  Sun Jun  1 20:56:40 1997
Received: from pcpsj.pfcs.com (/REMeReV8VMBuMCpSuwu5r1c5k65WNAe@harlan.fred.net [205.252.219.31])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id UAA24076
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 1 Jun 1997 20:56:28 -0700 (PDT)
Received: from mumps.pfcs.com (mumps.pfcs.com [192.52.69.11]) by pcpsj.pfcs.com (8.6.12/8.6.9) with SMTP id XAA00456 for <FreeBSD-gnats-submit@freebsd.org>; Sun, 1 Jun 1997 23:56:15 -0400
Received: from brown.pfcs.com by mumps.pfcs.com with SMTP id AA02324
  (5.67b/IDA-1.5 for <FreeBSD-gnats-submit@freebsd.org>); Sun, 1 Jun 1997 23:56:14 -0400
Received: from harlan by brown.pfcs.com with local (Exim 1.62 #1)
	id 0wYOE9-0000kR-00; Sun, 1 Jun 1997 23:56:13 -0400
Message-Id: <E0wYOE9-0000kR-00@brown.pfcs.com>
Date: Sun, 1 Jun 1997 23:56:13 -0400
From: Harlan Stenn <Harlan.Stenn@pfcs.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: Potential improvements to rc.firewall
X-Send-Pr-Version: 3.2

>Number:         3750
>Category:       conf
>Synopsis:       Potential improvements to rc.firewall
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    phk
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun  1 21:00:01 PDT 1997
>Closed-Date:    Tue Mar 9 10:43:45 PST 1999
>Last-Modified:  Tue Mar  9 10:45:51 PST 1999
>Originator:     Harlan Stenn
>Release:        FreeBSD 2.1.0-RELEASE i386
>Organization:
PFCS Corporation
>Environment:

    -current (probably earlier releases, too)

>Description:

    I think some of the rules are too loose.

>How-To-Repeat:

  Examination.

>Fix:
	

            (I also sent this to -hackers)

--- rc.firewall-	Sun Jun  1 21:23:06 1997
+++ rc.firewall	Sun Jun  1 21:29:11 1997
@@ -87,11 +87,11 @@
     /sbin/ipfw add deny tcp from any to any setup
 
     # Allow DNS queries out in the world
-    /sbin/ipfw add pass udp from any 53 to ${ip}
+    /sbin/ipfw add pass udp from any to ${ip} 53
     /sbin/ipfw add pass udp from ${ip} to any 53
 
     # Allow NTP queries out in the world
-    /sbin/ipfw add pass udp from any 123 to ${ip}
+    /sbin/ipfw add pass udp from any to ${ip} 123
     /sbin/ipfw add pass udp from ${ip} to any 123
 
     # Everything else is denied as default.
@@ -144,11 +144,11 @@
     /sbin/ipfw add pass tcp from any to any setup
 
     # Allow DNS queries out in the world
-    /sbin/ipfw add pass udp from any 53 to ${oip}
+    /sbin/ipfw add pass udp from any to ${oip} 53
     /sbin/ipfw add pass udp from ${oip} to any 53
 
     # Allow NTP queries out in the world
-    /sbin/ipfw add pass udp from any 123 to ${oip}
+    /sbin/ipfw add pass udp from any to ${oip} 123
     /sbin/ipfw add pass udp from ${oip} to any 123
 
     # Everything else is denied as default.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gpalmer 
Responsible-Changed-By: jkh 
Responsible-Changed-When: Sun Jun 1 22:22:35 PDT 1997 
Responsible-Changed-Why:  
This is his file, originally. 
Responsible-Changed-From-To: gpalmer->phk 
Responsible-Changed-By: jkh 
Responsible-Changed-When: Sun Jun 1 22:30:00 PDT 1997 
Responsible-Changed-Why:  
Braino!  It wasn't Gary Palmer who brought this in, it was Poul-Henning! 
State-Changed-From-To: open->closed 
State-Changed-By: sheldonh 
State-Changed-When: Tue Mar 9 10:43:45 PST 1999 
State-Changed-Why:  
The proposed changes simply break a machine's ability to make 
use of the respective services on remote hosts. 
>Unformatted:
