From owner-freebsd-security Wed Dec 26 12:38: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.robhughes.com (12-237-138-77.client.attbi.com [12.237.138.77]) by hub.freebsd.org (Postfix) with SMTP id E26E037B419 for ; Wed, 26 Dec 2001 12:37:43 -0800 (PST) Received: (qmail 69921 invoked from network); 26 Dec 2001 20:37:43 -0000 Received: from hexch01.robhughes.com (192.168.1.3) by ns2.robhughes.com with SMTP; 26 Dec 2001 20:37:43 -0000 Content-Class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: RE: Help with ipfw rules to allow DNS queries through X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 Date: Wed, 26 Dec 2001 14:37:42 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Help with ipfw rules to allow DNS queries through Thread-Index: AcGOS2tXDe4y7/uRQx6HwjagBik4IQAAYSbg From: "Robert D. Hughes" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If a DNS reply exceeds the maximum size of a udp datagram, it will be = sent using TCP so the rule is needed. -----Original Message----- From: Thomas T. Veldhouse [mailto:veldy@veldy.net] Sent: Wednesday, December 26, 2001 2:23 PM To: security@freebsd.org Subject: Re: Help with ipfw rules to allow DNS queries through Try replacing your DNS rules with this: # Allow access to our DNS ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any Straight out of /etc/rc.firewall. I don't think the first line is = really necessary, and in fact, it probably allows zone transfers, so if you = don't want these, don't include it. Tom Veldhouse veldy71@yahoo.com ----- Original Message -----=20 From: "X Philius" To: Sent: Wednesday, December 26, 2001 1:45 PM Subject: Help with ipfw rules to allow DNS queries through > Security Folks, > I have a stand alone server co-located on my employers T1 line. As I > am behind NAT, but not behind a firewall, I have set up ipfw so I can > have *some* control over what gets in and out of my machine. One more > layer in the security onion! >=20 > My box is set up as a web server, shoutcast server, and Darwin > Quicktime Streaming Video server. I would like to add DNS to the mix = so > I can cheaply host domains for my friends and family, but my ipfw = rules > are hanging me up. All the rules below seem to work as I would expect, > except for my attempt to allow DNS queries in and out. The current = rule > set does not even appear to allow me to access an outside DNS server > (ie the server listed in my resolv.conf), much less allow my machine = to > be accessed by others as a DNS server. I started out with the example > 'client' rule set, and added holes for SSH, Darwin and the Shoutcast > servers. >=20 > I do not think this is a factor (it didn't work before my upgrade > either) but I originally set up this rule set under 4.1 Release, and I > am now running 4.4 Release. I believe there were some changes to ipfw > in the transition, but the example rc.firewall looked about the same = to > me, so I assume the changes were under the hood. >=20 > As you can infer from my attempt to add the DNS rules below, I know > there is a UDP and a TCP component to DNS queries, but apparently I do > not have the full picture ;-) >=20 > Can you suggest a set of rules to allow DNS queries in and out of my > server? As I said, the rest of the rules *seem* to work fine as is, = but > if you see anything else I am not doing right I'd appreciate any tips. = > =20 > Thanks in advance! >=20 > Jason >=20 >=20 > # set these to your network and netmask and ip > net=3D"10.1.3.0" > mask=3D"255.255.255.0" > ip=3D"10.1.3.2" >=20 > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established >=20 > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag >=20 > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${ip} 25 setup >=20 > # Allow incoming SSH requests > ${fwcmd} add pass tcp from any to ${ip} 22 >=20 > # Allow incoming HTTP requests > ${fwcmd} add pass tcp from any to ${ip} 80 >=20 > # Allow incoming FTP requests > ${fwcmd} add pass tcp from any to ${ip} 21 >=20 > # Allow incoming POP requests > ${fwcmd} add pass tcp from any to ${ip} 110 >=20 > # Allow incoming Darwin requests (also uses port 80) > ${fwcmd} add pass tcp from any to ${ip} 554 > ${fwcmd} add pass tcp from any to ${ip} 7070 >=20 > # Allow outgoing UDP connections of Darwin media > ${fwcmd} add pass udp from ${ip} to any 6970-6975 >=20 > # Allow incoming Shoutcast requests > ${fwcmd} add pass tcp from any to ${ip} 8008 > ${fwcmd} add pass tcp from any to ${ip} 8009 > ${fwcmd} add pass tcp from any to ${ip} 7007 > ${fwcmd} add pass tcp from any to ${ip} 7008 >=20 > # Allow DNS queries out and in > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any >=20 > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup >=20 > # Allow setup of outgoing TCP connections > ${fwcmd} add pass tcp from ${ip} to any setup >=20 > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup >=20 > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; >=20 >=20 > __________________________________________________ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message