From owner-freebsd-security Sun Aug 3 16:50:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA26797 for security-outgoing; Sun, 3 Aug 1997 16:50:26 -0700 (PDT) Received: from counterintelligence.ml.org (mdean.vip.best.com [206.86.94.101]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA26789 for ; Sun, 3 Aug 1997 16:50:22 -0700 (PDT) Received: from localhost (jamil@localhost) by counterintelligence.ml.org (8.8.6/8.8.5) with SMTP id QAA00399 for ; Sun, 3 Aug 1997 16:49:54 -0700 (PDT) Date: Sun, 3 Aug 1997 16:49:52 -0700 (PDT) From: "Jamil J. Weatherbee" To: freebsd-security@freebsd.org Subject: Firewalling / DNS problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk this is in freebsd-stable RELENG I found the following problem on two different freebsd machine connected to the internet on one interface (the ip address ill call 111.222.333.444) i use the particualr machine as a tftp server (udp) for some diskless booting workstations (on its ethernet interface 192.168.1.1) it also has a ppp interface 111.222.333.444. Now realizing that tftp does not authenticate its clients i thought it would be nice to put up a firewall rule on this machine to block tftp request from the outside to the ppp interface (i want to allow them only to the ethernet interface on my lan) since it is possible to have some sensitive info in my /tftpboot directory that is world readable, and i dont want the whole world looking at it. i did a: (on a firewall="open" type setup in rc.conf) ipfw add 1100 deny udp from any to 111.222.333.444/32 tftp and verified that i could access with tftp from the inside but not the outside --- everything worked fine until... a couple of days later i notice that the was large amounts of mail sitting in the mail queue with name lookup defferred errors on it. So i tried doing host -d on a couple of those hosts and notice that many of the hosts this doesn't work for (many timeouts on the local nameserver 127.0.0.1) also the tally for drops on 111.222.333.444 port 69 (udp) is rather high -- after removing this entry all the mail is cleared from the queue but reenabling it causes the problem again (in other words i have verified it --- also on another unrelated machine). The question is why are outside sending udp packets to port 69 during name lookups. The following machines cause this: host -d rs0.internic.net host -d hotmail.com host -d best.com these didn't: host -d freebsd.org host -d cdrom.com i cant think of anymore, please help.