From owner-freebsd-questions Fri May 1 22:21:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA09385 for freebsd-questions-outgoing; Fri, 1 May 1998 22:21:29 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from mail.apc.net (mail.inhousecorp.com [207.113.177.8] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id WAA09349 for ; Fri, 1 May 1998 22:21:22 -0700 (PDT) (envelope-from dima@apc.net) Received: from icg-apc-pr1-p13.apc.net (icg-apc-pr1-p13.apc.net [207.211.76.167]) by mail.apc.net (NTMail 3.03.0013/1d.aag5) with ESMTP id ra832823 for ; Fri, 1 May 1998 22:21:18 -0700 Message-Id: <3.0.5.32.19980501221807.0093db70@mail.apc.net> X-Sender: dima@mail.apc.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 01 May 1998 22:18:07 -0700 To: Ruslan Ermilov From: Dima Dorfman Subject: Re: IPFW Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <19980502080810.A25317@ucb.crimea.ua> References: <3.0.5.32.19980501211444.00919bb0@mail.apc.net> <3.0.5.32.19980501211444.00919bb0@mail.apc.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ok thanks. All TCP is open, but now it still uses >1023. 1) I don't know how to enable all ports above 1023 2) If I do that, what's the point of disabling all of UDP? Thanks anyways! Dima At 08:08 AM 5/2/98 +0300, you wrote: >On Fri, May 01, 1998 at 09:14:44PM -0700, Dima Dorfman wrote: >> Hi: >> >> I'm trying to deny UDP to my whole network, except DNS. I am using IPFW, >> and Bind 8.1.1. Here are my rules: >> >> ipfw add 1 allow udp from any to 192.168.77.2 53 > ipfw add 1 allow udp from 192.168.77.2 53 to any <----- Add this >> ipfw add 2 deny udp from any to any >> >> It still doesn't work. DNS doesn't get through. I heard that bind uses >> wired addresses which it isn't allowed to use, but 8.1.1 fixed that with a >> line in the named.conf file. I added that line, but it still seems to be >> responding on 138, 1050, 1051, ... >> >> Has anyone had any luck with this? >> >> Thanks! > >I'd suggest you to open TCP 53 port too. Here is what the FAQ says: > >-------------------------------------------------------------------------- >Question 2.18. DNS ports > >Date: Fri Feb 10 15:40:10 EST 1995 > >The following table shows what TCP/UDP ports DNS uses to send and receive >queries: > > Prot Src Dst Use > udp 53 53 Queries between servers (eg, recursive queries) > Replies to above > tcp 53 53 Queries with long replies between servers, zone > transfers Replies to above > udp >1023 53 Client queries (sendmail, nslookup, etc ...) > udp 53 >1023 Replies to above > tcp >1023 53 Client queries with long replies > tcp 53 >1023 Replies to above > > Note: >1023 is for non-priv ports on Un*x clients. On other client > types, the limit may be more or less. > >Another point to keep in mind when designing filters for DNS is that a DNS >server uses port 53 both as the source and destination for it's queries. >So, a client queries an initial server from an unreserved port number to >UDP port 53. If the server needs to query another server to get the >required info, it sends a UDP query to that server with both source and >destination ports set to 53. The response is then sent with the same >src=53 dest=53 to the first server which then responds to the original >client from port 53 to the original source port number. > >The point of all this is that putting in filters to only allow UDP between >a high port and port 53 will not work correctly, you must also allow the >port 53 to port 53 UDP to get through. > >Also, ALL versions of BIND use TCP for queries in some cases. The >original query is tried using UDP. If the response is longer than the >allocated buffer, the resolver will retry the query using a TCP >connection. If you block access to TCP port 53 as suggested above, you >may find that some things don't work. > >Newer version of BIND allow you to configure a list of IP addresses from >which to allow zone transfers. This mechanism can be used to prevent >people from outside downloading your entire namespace. >-------------------------------------------------------------------------- > --- Dima Dorfman (dima@apc.net) "640k ought to be enough for anybody." - Bill Gates, 1981 Micro$oft $ucks! FreeBSD Rules! http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message