Fix some glaring insecurities in the prototype firewall configurations.

pass udp from any 53 to ${oip}

allows an attacker to access ANY local port by simply binding his local
side to 53. The state keeping mechanism is the correct way to allow DNS
replies to go back to their source.

1 files changed, 4 insertions, 8 deletions

diff --git a/etc/rc.firewall b/etc/rc.firewall
index fb7a7f8..82f1b2e 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -168,12 +168,10 @@ case ${firewall_type} in
 	${fwcmd} add deny tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from any 53 to ${ip}
-	${fwcmd} add pass udp from ${ip} to any 53
+	${fwcmd} add pass udp from ${ip} to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from any 123 to ${ip}
-	${fwcmd} add pass udp from ${ip} to any 123
+	${fwcmd} add pass udp from ${ip} to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
@@ -270,12 +268,10 @@ case ${firewall_type} in
 	${fwcmd} add pass tcp from any to any setup
 
 	# Allow DNS queries out in the world
-	${fwcmd} add pass udp from any 53 to ${oip}
-	${fwcmd} add pass udp from ${oip} to any 53
+	${fwcmd} add pass udp from ${oip} to any 53 keep-state
 
 	# Allow NTP queries out in the world
-	${fwcmd} add pass udp from any 123 to ${oip}
-	${fwcmd} add pass udp from ${oip} to any 123
+	${fwcmd} add pass udp from ${oip} to any 123 keep-state
 
 	# Everything else is denied by default, unless the
 	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel