> ${fwcmd} add allow udp from any 1024-65535,53 to any 53
> ${fwcmd} add allow udp from any 53 to any 1024-65535

That ruleset is a really bad idea. Imagine the following scenario: You
run a vulnerable service (bind, sendmail, you name it), Joe Haxor
launches a exploit against that service and creates a bindshell on port
1337. Now all he has to do is use port 53 as source and automagically
trespasses your firewall settings. Always use *stateful* firewalling,
and never allow anything not strictly necessary. Btw, zone transfers use
TCP, so you'd have to allow that as well.

        Miguel Mendez <[EMAIL PROTECTED]>
        PGP Key: 0xDC8514F1

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to