From owner-freebsd-security Mon Aug 23 15:55:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91]) by hub.freebsd.org (Postfix) with ESMTP id 2475E14E3F for ; Mon, 23 Aug 1999 15:55:44 -0700 (PDT) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id QAA04165; Mon, 23 Aug 1999 16:55:40 -0600 (MDT) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id QAA02707; Mon, 23 Aug 1999 16:55:34 -0600 Date: Mon, 23 Aug 1999 16:55:34 -0600 Message-Id: <199908232255.QAA02707@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Rodney W. Grimes" Cc: nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG Subject: Re: IPFW/DNS rules In-Reply-To: <199908232234.PAA36466@gndrsh.dnsmgr.net> References: <199908232108.PAA02230@mt.sri.com> <199908232234.PAA36466@gndrsh.dnsmgr.net> X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid Reply-To: nate@mt.sri.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > > > ipfw add 40539 allow log udp from any 53 to any > > > > > > > > This is also insecure, in that it allows anyone to use source port 53 to > > > > connect to *any* UDP port in your network. ... > > Yes, my rules before these have large blocks of udp/tcp ports that log > thier activity, for what you want it would be something like: > > ipfw add 100 deny log tcp from any 1-52 to any > ipfw add 100 deny log tcp from any 54-65535 to any > ipfw add 200 deny log udp from any 1-52 to any > ipfw add 200 deny log udp from any 54-65565 to any > > And of cource, the reverse rules > ipfw add 300 deny log tcp from any to any 1-52 > ipfw add 300 deny log tcp from any to any 54-65535 > ipfw add 400 deny log udp from any to any 1-52 > ipfw add 400 deny log udp from any to any 54-65535 Except that you're still allowing connections *from* port 53 to any UDP service in your network, which bothers me. (I'm doing it as well, FWIW, although I'm limiting it to a single box.) *sigh* > Outsource your DNS services so that no public queries ever hit your > master would be another way. This is known as a hidden master DNS > server, you simply get 2 public secondaries, list them in the SOA > for the zone, but leave out the real master. No one even knows to > go look at your box, except if they break into the slaves. Ahh, this is an idea. This is essentially what I'm doing now, except I didn't think to hide the master. However, we are trying to be more and more 'independant' of the parent company, so for now I think we'll deal with the paranoia. Also, I don't trust the people who are my secondaries as much to be secure. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message