From owner-freebsd-security Wed Oct 20 10:31:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 69E0514BC4 for ; Wed, 20 Oct 1999 10:31:40 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA03016; Wed, 20 Oct 1999 10:29:41 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199910201729.KAA03016@gndrsh.dnsmgr.net> Subject: Re: DNS security using IPFW (was Re: ipfw rule wrong in rc.firewall(?)) In-Reply-To: <199910201713.LAA25715@mt.sri.com> from Nate Williams at "Oct 20, 1999 11:13:12 am" To: nate@mt.sri.com (Nate Williams) Date: Wed, 20 Oct 1999 10:29:41 -0700 (PDT) Cc: patrick@mindstep.com (Patrick Bihan-Faou), matt@BabCom.ORG (matt), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > First thing to do is stop using ``any'', you should not have that many > > internal nameservers that you can't explicity name them by IP address: > > > > 10539 235 10548 allow log tcp from any to any 53 > > IMO, this rule should be *after* all of the other rules, otherwise > you'll get hits for 'acceptable' use in your logs. It appears that this > must be the case with the numbers, or else you've got specific rules for > zone transfers that are not listed. ooppppss.. I didn't even meen to grab the tcp related rules, grab one to many (grep produced this, my regex was bad, I should have hand edited the list produced). > > Note, the use of TCP does not *necessarily* mean a zone transfer, since > it may be the result of a large transfer that doesn't fit into a UDP > packet, which can happen if you have large datasets. (The Bind FAQ > deals with this in more detail.) > > > 40530 35051 3395489 allow udp from any to 205.238.40.1 53 > > 40530 1608 306167 allow udp from any to 205.238.40.2 53 > > 40530 52365 3549882 allow udp from any to 199.238.232.2 53 > > 40530 0 0 allow udp from any to 199.238.232.3 53 > > 40530 35250 6830449 allow udp from 205.238.40.1 53 to any > > 40530 1868 124384 allow udp from 205.238.40.2 53 to any > > 40530 51697 9134012 allow udp from 199.238.232.2 53 to any > > 40530 0 0 allow udp from 199.238.232.3 53 to any > > > > You should be running bind 8 behind any firewall, and set it up > > to use a src port of 53, thus allowing the above rules to just > > work. > > By default, bind8 'binds' to port 53. owever, there is one issue when > using a firewall, in that all queries and/or transfers are sent out > using your external IP address, and generally speaking most 'external' > addresses are assigned by your ISP. > > However, most of the time you want to publish the 'internal' address > that your ISP assigned to your network, since you have greater control > over the names/addresses. > > This means that zone transfers and such come from an IP/name in your > ISP's namespace, which is annoying. It would be nice if bind8 allowed > you to 'bind' zone transfers to a certain address, like it does with > responses. Yes. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message