From owner-freebsd-security Wed Oct 20 10:13:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 688F914A17 for ; Wed, 20 Oct 1999 10:13:28 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id LAA05677; Wed, 20 Oct 1999 11:13:14 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id LAA25715; Wed, 20 Oct 1999 11:13:12 -0600 Date: Wed, 20 Oct 1999 11:13:12 -0600 Message-Id: <199910201713.LAA25715@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: patrick@mindstep.com (Patrick Bihan-Faou), matt@BabCom.ORG (matt), freebsd-security@FreeBSD.ORG Subject: DNS security using IPFW (was Re: ipfw rule wrong in rc.firewall(?)) In-Reply-To: <199910201700.KAA02948@gndrsh.dnsmgr.net> References: <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com> <199910201700.KAA02948@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > First thing to do is stop using ``any'', you should not have that many > internal nameservers that you can't explicity name them by IP address: > > 10539 235 10548 allow log tcp from any to any 53 IMO, this rule should be *after* all of the other rules, otherwise you'll get hits for 'acceptable' use in your logs. It appears that this must be the case with the numbers, or else you've got specific rules for zone transfers that are not listed. Note, the use of TCP does not *necessarily* mean a zone transfer, since it may be the result of a large transfer that doesn't fit into a UDP packet, which can happen if you have large datasets. (The Bind FAQ deals with this in more detail.) > 40530 35051 3395489 allow udp from any to 205.238.40.1 53 > 40530 1608 306167 allow udp from any to 205.238.40.2 53 > 40530 52365 3549882 allow udp from any to 199.238.232.2 53 > 40530 0 0 allow udp from any to 199.238.232.3 53 > 40530 35250 6830449 allow udp from 205.238.40.1 53 to any > 40530 1868 124384 allow udp from 205.238.40.2 53 to any > 40530 51697 9134012 allow udp from 199.238.232.2 53 to any > 40530 0 0 allow udp from 199.238.232.3 53 to any > > You should be running bind 8 behind any firewall, and set it up > to use a src port of 53, thus allowing the above rules to just > work. By default, bind8 'binds' to port 53. owever, there is one issue when using a firewall, in that all queries and/or transfers are sent out using your external IP address, and generally speaking most 'external' addresses are assigned by your ISP. However, most of the time you want to publish the 'internal' address that your ISP assigned to your network, since you have greater control over the names/addresses. This means that zone transfers and such come from an IP/name in your ISP's namespace, which is annoying. It would be nice if bind8 allowed you to 'bind' zone transfers to a certain address, like it does with responses. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message