Date: Sat, 2 May 1998 08:08:10 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: Dima Dorfman <dima@apc.net>, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW Message-ID: <19980502080810.A25317@ucb.crimea.ua> In-Reply-To: <3.0.5.32.19980501211444.00919bb0@mail.apc.net>; from Dima Dorfman on Fri, May 01, 1998 at 09:14:44PM -0700 References: <3.0.5.32.19980501211444.00919bb0@mail.apc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 01, 1998 at 09:14:44PM -0700, Dima Dorfman wrote: > Hi: > > I'm trying to deny UDP to my whole network, except DNS. I am using IPFW, > and Bind 8.1.1. Here are my rules: > > ipfw add 1 allow udp from any to 192.168.77.2 53 ipfw add 1 allow udp from 192.168.77.2 53 to any <----- Add this > ipfw add 2 deny udp from any to any > > It still doesn't work. DNS doesn't get through. I heard that bind uses > wired addresses which it isn't allowed to use, but 8.1.1 fixed that with a > line in the named.conf file. I added that line, but it still seems to be > responding on 138, 1050, 1051, ... > > Has anyone had any luck with this? > > Thanks! I'd suggest you to open TCP 53 port too. Here is what the FAQ says: -------------------------------------------------------------------------- Question 2.18. DNS ports Date: Fri Feb 10 15:40:10 EST 1995 The following table shows what TCP/UDP ports DNS uses to send and receive queries: Prot Src Dst Use udp 53 53 Queries between servers (eg, recursive queries) Replies to above tcp 53 53 Queries with long replies between servers, zone transfers Replies to above udp >1023 53 Client queries (sendmail, nslookup, etc ...) udp 53 >1023 Replies to above tcp >1023 53 Client queries with long replies tcp 53 >1023 Replies to above Note: >1023 is for non-priv ports on Un*x clients. On other client types, the limit may be more or less. Another point to keep in mind when designing filters for DNS is that a DNS server uses port 53 both as the source and destination for it's queries. So, a client queries an initial server from an unreserved port number to UDP port 53. If the server needs to query another server to get the required info, it sends a UDP query to that server with both source and destination ports set to 53. The response is then sent with the same src=53 dest=53 to the first server which then responds to the original client from port 53 to the original source port number. The point of all this is that putting in filters to only allow UDP between a high port and port 53 will not work correctly, you must also allow the port 53 to port 53 UDP to get through. Also, ALL versions of BIND use TCP for queries in some cases. The original query is tried using UDP. If the response is longer than the allocated buffer, the resolver will retry the query using a TCP connection. If you block access to TCP port 53 as suggested above, you may find that some things don't work. Newer version of BIND allow you to configure a list of IP addresses from which to allow zone transfers. This mechanism can be used to prevent people from outside downloading your entire namespace. -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980502080810.A25317>