From owner-freebsd-net Wed Mar 14 12:33:42 2001 Delivered-To: freebsd-net@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 8340D37B719 for ; Wed, 14 Mar 2001 12:33:39 -0800 (PST) (envelope-from billf@elvis.mu.org) Received: by elvis.mu.org (Postfix, from userid 1098) id 414ED81D01; Wed, 14 Mar 2001 14:33:39 -0600 (CST) Date: Wed, 14 Mar 2001 14:33:39 -0600 From: Bill Fumerola To: Peter Brezny Cc: freebsd-net@freebsd.org Subject: Re: problem with secondary dns update through ipfw firewall Message-ID: <20010314143339.R31752@elvis.mu.org> References: <20010314001619.O31752@elvis.mu.org> <000701c0ac9a$978cc4e0$46010a0a@wkst> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000701c0ac9a$978cc4e0$46010a0a@wkst>; from peter@sysadmin-inc.com on Wed, Mar 14, 2001 at 10:22:32AM -0500 X-Operating-System: FreeBSD 4.2-FEARSOME-20010209 i386 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 14, 2001 at 10:22:32AM -0500, Peter Brezny wrote: > Bill, > I do have a list? ... Which list is that? > > I think the light bulb is begining to glow, dimly but still glow. I guess I > only have to allow the root servers access? Is that what you mean? Typically you would want to allow queries from any addresses and zone transfers from secondary nameservers or from the primary nameservers that any of your servers secondary off of. > However I am still wondering why the firewall rules I have below arn't > allowing transfers, I do have an allow rule for established traffic, just > well above the rules below. > > $fwcmd add allow tcp from any to any established > > shouldn't this ruleset allow any DNS server to perform a transfer? a zone transfer, yes. that may or may not be what you want (but it can be controlled with named.conf as well if you just want simple ipfw rules) -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message