Date: Mon, 27 Jul 1998 09:06:45 +0100 (BST) From: Jay Tribick <netadmin@fastnet.co.uk> To: Jesse <j@lumiere.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity Message-ID: <Pine.BSF.3.96.980727090344.11044D-100000@bofh.fast.net.uk> In-Reply-To: <Pine.BSF.3.96.980727001106.118A-100000@leaf.lumiere.net>
next in thread | previous in thread | raw e-mail | index | archive | help
| I'm thinking of changing one of my boxes which is running bind (performing | primary secondary DNS functions) from | allow-anything-except-things-specifically-denied ipfw rules to | deny-everything-except-things-specifically-allowed rules (open vs closed? | hehe). Anyway, I was wondering what are the minimum rules necessary to | allow DNS queries/transfers from other servers to my server, and also to | allow queries from my server to other servers. | | I tried a variety of rules from the rc.firewall file, but it's still | blocking some traffic, so there must be something I'm missing. AFAIR you should just be able to explicitly allow data from port 53 (udp & tcp) to pass through. i.e ipfw add 0 deny ip from any to ip.ip.ip.ip:255.255.255.255 ipfw add 1 allow tcp from any to ip.ip.ip.ip:255.255.255.255 53 ipfw add 1 allow udp from any to ip.ip.ip.ip:255.255.255.255 53 (Don't quote me on the above.. I don't tend to use ipfw and there's probably a better way of defining the above rules, for example, you may not want to deny packets but simly drop/reject them - depends how much info. you want to give out to script kiddies ;) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727090344.11044D-100000>