Date: Mon, 23 Aug 1999 16:55:34 -0600 From: Nate Williams <nate@mt.sri.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules Message-ID: <199908232255.QAA02707@mt.sri.com> In-Reply-To: <199908232234.PAA36466@gndrsh.dnsmgr.net> References: <199908232108.PAA02230@mt.sri.com> <199908232234.PAA36466@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > > ipfw add 40539 allow log udp from any 53 to any > > > > > > > > This is also insecure, in that it allows anyone to use source port 53 to > > > > connect to *any* UDP port in your network. ... > > Yes, my rules before these have large blocks of udp/tcp ports that log > thier activity, for what you want it would be something like: > > ipfw add 100 deny log tcp from any 1-52 to any > ipfw add 100 deny log tcp from any 54-65535 to any > ipfw add 200 deny log udp from any 1-52 to any > ipfw add 200 deny log udp from any 54-65565 to any > > And of cource, the reverse rules > ipfw add 300 deny log tcp from any to any 1-52 > ipfw add 300 deny log tcp from any to any 54-65535 > ipfw add 400 deny log udp from any to any 1-52 > ipfw add 400 deny log udp from any to any 54-65535 Except that you're still allowing connections *from* port 53 to any UDP service in your network, which bothers me. (I'm doing it as well, FWIW, although I'm limiting it to a single box.) *sigh* > Outsource your DNS services so that no public queries ever hit your > master would be another way. This is known as a hidden master DNS > server, you simply get 2 public secondaries, list them in the SOA > for the zone, but leave out the real master. No one even knows to > go look at your box, except if they break into the slaves. Ahh, this is an idea. This is essentially what I'm doing now, except I didn't think to hide the master. However, we are trying to be more and more 'independant' of the parent company, so for now I think we'll deal with the paranoia. Also, I don't trust the people who are my secondaries as much to be secure. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232255.QAA02707>