From owner-freebsd-security Mon Jun 12 18:46:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from wat-border.sentex.ca (waterloo-hespler.sentex.ca [199.212.135.66]) by hub.freebsd.org (Postfix) with ESMTP id DA38C37B8D6 for ; Mon, 12 Jun 2000 18:46:25 -0700 (PDT) (envelope-from mike@sentex.net) Received: from granite.sentex.net (granite-atm.sentex.ca [209.112.4.1]) by wat-border.sentex.ca (8.9.3/8.9.3) with ESMTP id VAA95961; Mon, 12 Jun 2000 21:46:24 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (cage.simianscience.com [64.7.134.1]) by granite.sentex.net (8.8.8/8.6.9) with ESMTP id VAA08652; Mon, 12 Jun 2000 21:46:24 -0400 (EDT) Message-Id: <4.2.2.20000612213940.036c4ec0@mail.sentex.net> X-Sender: mdtancsa@mail.sentex.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Mon, 12 Jun 2000 21:42:05 -0400 To: Hugh Ho , freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: IPFW rules for DNS? In-Reply-To: <20000613014237.10942.qmail@web210.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:42 PM 6/12/2000 -0700, Hugh Ho wrote: >I need to do nslookup quite often, and I have the following IPFW rules which >allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > >Problem with the above rules is that people can pass IPFW if they use UDP port >53 with a spoofed IP that matches my ISP's DNS server. Is there a way to >fix my >problem? Sadly no. However, your ISP should be at least blocking spoofed addresses from the outside world from coming in to their network. But that does not of course prevent other users from inside from doing so. Make sure bind is running in its own sandbox in case you are not doing so already. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message