Date: Sat, 2 May 1998 08:08:10 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Dima Dorfman <dima@apc.net>, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW Message-ID: <19980502080810.A25317@ucb.crimea.ua> In-Reply-To: <3.0.5.32.19980501211444.00919bb0@mail.apc.net>; from Dima Dorfman on Fri, May 01, 1998 at 09:14:44PM -0700 References: <3.0.5.32.19980501211444.00919bb0@mail.apc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 01, 1998 at 09:14:44PM -0700, Dima Dorfman wrote:
> Hi:
> 
> I'm trying to deny UDP to my whole network, except DNS.  I am using IPFW,
> and Bind 8.1.1.  Here are my rules:
> 
> ipfw add 1 allow udp from any to 192.168.77.2 53
  ipfw add 1 allow udp from 192.168.77.2 53 to any       <----- Add this
> ipfw add 2 deny udp from any to any
> 
> It still doesn't work.  DNS doesn't get through.  I heard that bind uses
> wired addresses which it isn't allowed to use, but 8.1.1 fixed that with a
> line in the named.conf file.  I added that line, but it still seems to be
> responding on 138, 1050, 1051, ...
> 
> Has anyone had any luck with this?
> 
> Thanks!
I'd suggest you to open TCP 53 port too. Here is what the FAQ says:
--------------------------------------------------------------------------
Question 2.18.  DNS ports
Date: Fri Feb 10 15:40:10 EST 1995
The following table shows what TCP/UDP ports DNS uses to send and  receive
queries:
   Prot Src   Dst   Use
   udp  53    53    Queries between servers (eg, recursive queries)
                    Replies to above
   tcp  53    53    Queries with long replies between servers, zone 
                    transfers Replies to above
   udp  >1023 53    Client queries (sendmail, nslookup, etc ...)
   udp  53    >1023 Replies to above
   tcp  >1023 53    Client queries with long replies
   tcp  53    >1023 Replies to above
   Note: >1023 is for non-priv ports on Un*x clients. On other client 
         types, the limit may be more or less.
Another point to keep in mind when designing filters for DNS is that a DNS
server uses port 53 both as the source and destination for it's queries.
So, a client queries an initial server from an unreserved port number to
UDP port 53.  If the server needs to query another server to get the
required info, it sends a UDP query to that server with both source and
destination ports set to 53.  The response is then sent with the same
src=53 dest=53 to the first server which then responds to the original
client from port 53 to the original source port number.
The point of all this is that putting in filters to only allow UDP between
a high port and port 53 will not work correctly, you must also allow the
port 53 to port 53 UDP to get through.
Also, ALL versions of BIND use TCP for queries in some cases.  The
original query is tried using UDP.  If the response is longer than the
allocated buffer, the resolver will retry the query using a TCP
connection.  If you block access to TCP port 53 as suggested above, you
may find that some things don't work.
Newer version of BIND allow you to configure a list of IP addresses from
which to allow zone transfers.  This mechanism can be used to prevent
people from outside downloading your entire namespace.
--------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980502080810.A25317>
