From owner-freebsd-net Tue Mar 13 22:16:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id DF03D37B719 for ; Tue, 13 Mar 2001 22:16:19 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 86E7481D01; Wed, 14 Mar 2001 00:16:19 -0600 (CST) Date: Wed, 14 Mar 2001 00:16:19 -0600 From: Bill Fumerola To: Nick Rogness Cc: Peter Brezny , freebsd-net@FreeBSD.ORG Subject: Re: problem with secondary dns update through ipfw firewall Message-ID: <20010314001619.O31752@elvis.mu.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nick@rogness.net on Tue, Mar 13, 2001 at 03:47:08PM -0600 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 13, 2001 at 03:47:08PM -0600, Nick Rogness wrote: > > # Allow DNS traffic from internet to query your DNS (for reverse > > # lookups etc). > > $fwcmd add allow tcp from any 53 to $ns1 53 setup > > $fwcmd add allow udp from any to $ns1 53 > > $fwcmd add allow udp from $ns1 53 to any > > You are only allowing the setup of the zone transfer. You need to > allow established traffic as well (tcp port 53). > > $fwdcmd add allow tcp from any 53 to any 53 > > This isn't very secure though. You can more specific ipfw rules > that make this a little more secure. Luckily, figuring out which servers you need to allow is pretty easy, you already have a list of them. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message