From owner-freebsd-security@FreeBSD.ORG Thu Jul 10 06:06:29 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 439071065672 for ; Thu, 10 Jul 2008 06:06:29 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay00.pair.com (relay00.pair.com [209.68.5.9]) by mx1.freebsd.org (Postfix) with SMTP id C78EB8FC2B for ; Thu, 10 Jul 2008 06:06:28 +0000 (UTC) (envelope-from silby@silby.com) Received: (qmail 45880 invoked from network); 10 Jul 2008 06:06:27 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 10 Jul 2008 06:06:27 -0000 X-pair-Authenticated: 209.68.2.70 Date: Thu, 10 Jul 2008 01:06:25 -0500 (CDT) From: Mike Silbersack To: Tim Clewlow In-Reply-To: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> Message-ID: <20080710010119.K5394@odysseus.silby.com> References: <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, Oliver Fromme Subject: Re: BIND update? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Jul 2008 06:06:29 -0000 On Thu, 10 Jul 2008, Tim Clewlow wrote: > Assuming this is NOT a gateway, ie a single homed DNS. nat on $ext_if proto udp from any to any port 53 -> ($ext_if) That's the rule that works for me. You don't need to worry about tcp because tcp is protected by its 32 bit initial sequence number. If someone wants to go propose this fix on bugtraq, please don't mention my name. I don't want to get dragged into it. :) -Mike