Date: Wed, 14 Mar 2001 14:33:39 -0600 From: Bill Fumerola <billf@mu.org> To: Peter Brezny <peter@sysadmin-inc.com> Cc: freebsd-net@freebsd.org Subject: Re: problem with secondary dns update through ipfw firewall Message-ID: <20010314143339.R31752@elvis.mu.org> In-Reply-To: <000701c0ac9a$978cc4e0$46010a0a@wkst>; from peter@sysadmin-inc.com on Wed, Mar 14, 2001 at 10:22:32AM -0500 References: <20010314001619.O31752@elvis.mu.org> <000701c0ac9a$978cc4e0$46010a0a@wkst>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 14, 2001 at 10:22:32AM -0500, Peter Brezny wrote:
> Bill,
> I do have a list? ... Which list is that?
>
> I think the light bulb is begining to glow, dimly but still glow. I guess I
> only have to allow the root servers access? Is that what you mean?
Typically you would want to allow queries from any addresses and zone
transfers from secondary nameservers or from the primary nameservers
that any of your servers secondary off of.
> However I am still wondering why the firewall rules I have below arn't
> allowing transfers, I do have an allow rule for established traffic, just
> well above the rules below.
>
> $fwcmd add allow tcp from any to any established
>
> shouldn't this ruleset allow any DNS server to perform a transfer?
a zone transfer, yes. that may or may not be what you want (but
it can be controlled with named.conf as well if you just want simple
ipfw rules)
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314143339.R31752>