Date: Sat, 17 Feb 2007 19:53:05 +0100 From: Jeremie Le Hen <jeremie@le-hen.org> To: freebsd-net@FreeBSD.org Subject: Firewalling DNS jails Message-ID: <20070217185305.GA22946@obiwan.tataz.chchile.org>
next in thread | raw e-mail | index | archive | help
Hi there,
I have two jails with named(8) running on my server.
- The first one (dns_int) is used as a resolver for my local network,
and also serve the zone adressing it.
- The second one (dns_ext) is used to serve my zones on the Internet
side.
I want to know if the following rules are secure enough and if there
can be tightened regarding the DNS protocol and the policy I've set up.
=== 8< === 8< === 8< ===
pass in inet proto { tcp, udp } from $local_net to $dns_int domain keep state
pass out inet proto { tcp, udp } from $dns_int to any domain keep state
pass in inet proto { tcp, udp } from any to $dns_ext domain keep state
pass out inet proto { tcp, udp } from $dns_int to !$local_net domain keep state
=== 8< === 8< === 8< ===
Thank you.
PS: If you know about problems using the same nameserver for resolving
and serving my internal zone, please let me know as well.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070217185305.GA22946>