From owner-freebsd-security  Mon Jul 27 01:07:19 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA27237
          for freebsd-security-outgoing; Mon, 27 Jul 1998 01:07:19 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA27222
          for <freebsd-security@FreeBSD.ORG>; Mon, 27 Jul 1998 01:07:14 -0700 (PDT)
          (envelope-from netadmin@fastnet.co.uk)
Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22])
	by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA16446;
	Mon, 27 Jul 1998 09:06:44 +0100 (BST)
Received: from localhost (localhost [127.0.0.1])
	by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id JAA11139;
	Mon, 27 Jul 1998 09:06:45 +0100 (BST)
Date: Mon, 27 Jul 1998 09:06:45 +0100 (BST)
From: Jay Tribick <netadmin@fastnet.co.uk>
X-Sender: netadmin@bofh.fast.net.uk
To: Jesse <j@lumiere.net>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw rules to allow DNS activity
In-Reply-To: <Pine.BSF.3.96.980727001106.118A-100000@leaf.lumiere.net>
Message-ID: <Pine.BSF.3.96.980727090344.11044D-100000@bofh.fast.net.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


| I'm thinking of changing one of my boxes which is running bind (performing
| primary secondary DNS functions) from
| allow-anything-except-things-specifically-denied ipfw rules to
| deny-everything-except-things-specifically-allowed rules (open vs closed?
| hehe). Anyway, I was wondering what are the minimum rules necessary to
| allow DNS queries/transfers from other servers to my server, and also to
| allow queries from my server to other servers.
| 
| I tried a variety of rules from the rc.firewall file, but it's still
| blocking some traffic, so there must be something I'm missing.

AFAIR you should just be able to explicitly allow data from port 53
(udp & tcp) to pass through.

i.e

ipfw add 0 deny ip from any to ip.ip.ip.ip:255.255.255.255 
ipfw add 1 allow tcp from any to ip.ip.ip.ip:255.255.255.255 53
ipfw add 1 allow udp from any to ip.ip.ip.ip:255.255.255.255 53

(Don't quote me on the above.. I don't tend to use ipfw and there's
probably a better way of defining the above rules, for example, you
may not want to deny packets but simly drop/reject them - depends
how much info. you want to give out to script kiddies ;)

Regards,

Jay Tribick
--
[| Network Administrator | FastNet International | http://fast.net.uk/ |]
[|        Finger netadmin@fastnet.co.uk for contact information        |]
[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message