From owner-freebsd-security Mon Aug 23 13:13: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id BA62F157A2 for ; Mon, 23 Aug 1999 13:12:56 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id OAA02208; Mon, 23 Aug 1999 14:11:42 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id OAA01520; Mon, 23 Aug 1999 14:11:41 -0600 Date: Mon, 23 Aug 1999 14:11:41 -0600 Message-Id: <199908232011.OAA01520@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Poul-Henning Kamp Cc: "Jan B. Koum " , Matthew Dillon , Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <11139.935438898@critter.freebsd.dk> References: <19990823130116.B1797@best.com> <11139.935438898@critter.freebsd.dk> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >One can also run named in chroot() environment and as non-root user. In > >fact, this is exactly what we are doing where I work: > > > >85-jkb(nautilus)% ssh dns1.corp ps ax | grep named > > 106 ?? Ss 0:30.01 syslogd -s -l /var/named/dev/log > >27897 ?? Ss 1047:54.55 /var/named/named -u bind -g bind -t /var/named > > Even better yet: Run it in a jail with it's own IP number... This box isn't ready for -current, or more to the point, -current isn't ready for prime-time anytime soon. :) :) :) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message