Hi, Mark-- On Nov 30, 2015, at 1:58 PM, Mark Felder <f...@freebsd.org> wrote: > [ ... ] > I noticed my outbound IPv6 didn't have $ks for udp, so I added it. > However, that had no effect. The solution was to add an incoming rule: > > $cmd 03755 allow udp from any to any src-port 123 in via $pif6 $ks > > This seems wrong. Thoughts?
Yes, someone can perform a UDP scan of your network using source port of 123. That's generally not a huge risk, but that very much depends on what is binding to UDP protocol on your network. (Note that using a UDP source port of 53 for scans is very popular as well.) I don't know whether UDP keepstate is broken for IPv6, but freebsd-ipfw folks might have more info. Also note that performing stateful filtering of DNS and UDP traffic can be a bad idea because of DoS potential. Consider something like this: # allow DNS,NTP queries out in the world add pass udp from MYNET HIPORTS to any 53,123 add pass udp from any 53,123 to MYNET HIPORTS add pass udp from any 53,123 to any 53,123 # traceroute add pass udp from any HIPORTS to any 33434-33523 # add any other expected UDP traffic here, ie: # add pass udp from any 123,HIPORTS to MYNTPSERVER 123 # add pass udp from MYNTPSERVER 123 to any 123,HIPORTS # and then log outgoing and block unexpected incoming UDP traffic add pass log udp from MYNET to any add unreach filter-prohib log udp from any to any Regards, -- -Chuck PS: Yes, I think firewall_flags="-p cpp" is a reasonable choice, but /bin/sh is just fine if you prefer that. :-) _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
