Date: Fri, 01 May 1998 22:18:07 -0700 From: Dima Dorfman <dima@apc.net> To: Ruslan Ermilov <ru@ucb.crimea.ua> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW Message-ID: <3.0.5.32.19980501221807.0093db70@mail.apc.net> In-Reply-To: <19980502080810.A25317@ucb.crimea.ua> References: <3.0.5.32.19980501211444.00919bb0@mail.apc.net> <3.0.5.32.19980501211444.00919bb0@mail.apc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok thanks. All TCP is open, but now it still uses >1023. 1) I don't know how to enable all ports above 1023 2) If I do that, what's the point of disabling all of UDP? Thanks anyways! Dima At 08:08 AM 5/2/98 +0300, you wrote: >On Fri, May 01, 1998 at 09:14:44PM -0700, Dima Dorfman wrote: >> Hi: >> >> I'm trying to deny UDP to my whole network, except DNS. I am using IPFW, >> and Bind 8.1.1. Here are my rules: >> >> ipfw add 1 allow udp from any to 192.168.77.2 53 > ipfw add 1 allow udp from 192.168.77.2 53 to any <----- Add this >> ipfw add 2 deny udp from any to any >> >> It still doesn't work. DNS doesn't get through. I heard that bind uses >> wired addresses which it isn't allowed to use, but 8.1.1 fixed that with a >> line in the named.conf file. I added that line, but it still seems to be >> responding on 138, 1050, 1051, ... >> >> Has anyone had any luck with this? >> >> Thanks! > >I'd suggest you to open TCP 53 port too. Here is what the FAQ says: > >-------------------------------------------------------------------------- >Question 2.18. DNS ports > >Date: Fri Feb 10 15:40:10 EST 1995 > >The following table shows what TCP/UDP ports DNS uses to send and receive >queries: > > Prot Src Dst Use > udp 53 53 Queries between servers (eg, recursive queries) > Replies to above > tcp 53 53 Queries with long replies between servers, zone > transfers Replies to above > udp >1023 53 Client queries (sendmail, nslookup, etc ...) > udp 53 >1023 Replies to above > tcp >1023 53 Client queries with long replies > tcp 53 >1023 Replies to above > > Note: >1023 is for non-priv ports on Un*x clients. On other client > types, the limit may be more or less. > >Another point to keep in mind when designing filters for DNS is that a DNS >server uses port 53 both as the source and destination for it's queries. >So, a client queries an initial server from an unreserved port number to >UDP port 53. If the server needs to query another server to get the >required info, it sends a UDP query to that server with both source and >destination ports set to 53. The response is then sent with the same >src=53 dest=53 to the first server which then responds to the original >client from port 53 to the original source port number. > >The point of all this is that putting in filters to only allow UDP between >a high port and port 53 will not work correctly, you must also allow the >port 53 to port 53 UDP to get through. > >Also, ALL versions of BIND use TCP for queries in some cases. The >original query is tried using UDP. If the response is longer than the >allocated buffer, the resolver will retry the query using a TCP >connection. If you block access to TCP port 53 as suggested above, you >may find that some things don't work. > >Newer version of BIND allow you to configure a list of IP addresses from >which to allow zone transfers. This mechanism can be used to prevent >people from outside downloading your entire namespace. >-------------------------------------------------------------------------- > --- Dima Dorfman (dima@apc.net) "640k ought to be enough for anybody." - Bill Gates, 1981 Micro$oft $ucks! FreeBSD Rules! http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19980501221807.0093db70>