From owner-freebsd-security  Wed Dec 26 12:56:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from web11801.mail.yahoo.com (web11801.mail.yahoo.com [216.136.172.155])
	by hub.freebsd.org (Postfix) with SMTP id 1C83A37B416
	for <security@freebsd.org>; Wed, 26 Dec 2001 12:56:49 -0800 (PST)
Message-ID: <20011226205648.87285.qmail@web11801.mail.yahoo.com>
Received: from [64.73.64.94] by web11801.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 12:56:48 PST
Date: Wed, 26 Dec 2001 12:56:48 -0800 (PST)
From: X Philius <xphilius@yahoo.com>
Reply-To: xphilius@yahoo.com
Subject: Re: Help with ipfw rules to allow DNS queries through
To: "Thomas T. Veldhouse" <veldy@veldy.net>, security@freebsd.org
In-Reply-To: <00ea01c18e4b$19edf0c0$3028680a@tgt.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Thomas (and other helpful security folks)
This is exactly what I am using, and it does not seem to work. Perhaps
it is NAT messing me up. I am behind a Cisco router that is doing the
NAT for me, but as far as I know it is wide open between me and the
net, other than a straight translation from my internal address to my
external address. Hmmm. However, I can access another DNS server as a
client with the default open rule set, but not with this set in place.
This makes me think that NAT is *not* the problem. I would also like to
get set up as a primary and/or secondary DNS server (going to set up a
swap with a friend, the usual low rent DNS set up ;-), so just
accessing an external name server as a client is not the ultimate goal.
I would also like to allow others to access my machine as a DNS server,
and to be authoratative on some domains. Any suggestions? 

Jason

--- "Thomas T. Veldhouse" <veldy@veldy.net> wrote:
> Try replacing your DNS rules with this:
> 
> # Allow access to our DNS
> ${fwcmd} add pass tcp from any to ${ip} 53 setup
> ${fwcmd} add pass udp from any to ${ip} 53
> ${fwcmd} add pass udp from ${ip} 53 to any
> 
> Straight out of /etc/rc.firewall.  I don't think the first line is
> really
> necessary, and in fact, it probably allows zone transfers, so if you
> don't
> want these, don't include it.


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message