Date: Wed, 20 Oct 1999 10:29:41 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: nate@mt.sri.com (Nate Williams) Cc: patrick@mindstep.com (Patrick Bihan-Faou), matt@BabCom.ORG (matt), freebsd-security@FreeBSD.ORG Subject: Re: DNS security using IPFW (was Re: ipfw rule wrong in rc.firewall(?)) Message-ID: <199910201729.KAA03016@gndrsh.dnsmgr.net> In-Reply-To: <199910201713.LAA25715@mt.sri.com> from Nate Williams at "Oct 20, 1999 11:13:12 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > > First thing to do is stop using ``any'', you should not have that many > > internal nameservers that you can't explicity name them by IP address: > > > > 10539 235 10548 allow log tcp from any to any 53 > > IMO, this rule should be *after* all of the other rules, otherwise > you'll get hits for 'acceptable' use in your logs. It appears that this > must be the case with the numbers, or else you've got specific rules for > zone transfers that are not listed. ooppppss.. I didn't even meen to grab the tcp related rules, grab one to many (grep produced this, my regex was bad, I should have hand edited the list produced). > > Note, the use of TCP does not *necessarily* mean a zone transfer, since > it may be the result of a large transfer that doesn't fit into a UDP > packet, which can happen if you have large datasets. (The Bind FAQ > deals with this in more detail.) > > > 40530 35051 3395489 allow udp from any to 205.238.40.1 53 > > 40530 1608 306167 allow udp from any to 205.238.40.2 53 > > 40530 52365 3549882 allow udp from any to 199.238.232.2 53 > > 40530 0 0 allow udp from any to 199.238.232.3 53 > > 40530 35250 6830449 allow udp from 205.238.40.1 53 to any > > 40530 1868 124384 allow udp from 205.238.40.2 53 to any > > 40530 51697 9134012 allow udp from 199.238.232.2 53 to any > > 40530 0 0 allow udp from 199.238.232.3 53 to any > > > > You should be running bind 8 behind any firewall, and set it up > > to use a src port of 53, thus allowing the above rules to just > > work. > > By default, bind8 'binds' to port 53. owever, there is one issue when > using a firewall, in that all queries and/or transfers are sent out > using your external IP address, and generally speaking most 'external' > addresses are assigned by your ISP. > > However, most of the time you want to publish the 'internal' address > that your ISP assigned to your network, since you have greater control > over the names/addresses. > > This means that zone transfers and such come from an IP/name in your > ISP's namespace, which is annoying. It would be nice if bind8 allowed > you to 'bind' zone transfers to a certain address, like it does with > responses. Yes. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910201729.KAA03016>