From owner-freebsd-security Mon Jul 27 01:48:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA02895 for freebsd-security-outgoing; Mon, 27 Jul 1998 01:48:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA02878 for ; Mon, 27 Jul 1998 01:48:31 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id BAA01914; Mon, 27 Jul 1998 01:48:00 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 01:48:00 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Jay Tribick cc: security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No no no... What I mean is: [takes out the bible: TCP/IP Illustrated and opens it on page 206] DNS uses UDP for resolver queries (most of the time). DNS used TCP for zone transfers (always). If you don't want to allow zone transfer from that computer, don't worry about allowing TCP as long as your DNS response will never exceed 512 bytes. (yes I know one can also use xfrnets to stop unauthorized zone transfers but this is ipfw talk *grin*) -- Yan Jan Koum jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" On Mon, 27 Jul 1998, Jay Tribick wrote: > >Hi > >| >I'm thinking of changing one of my boxes which is running bind (performing >| >primary secondary DNS functions) from >| >allow-anything-except-things-specifically-denied ipfw rules to >| >deny-everything-except-things-specifically-allowed rules (open vs closed? >| >hehe). Anyway, I was wondering what are the minimum rules necessary to >| >allow DNS queries/transfers from other servers to my server, and also to >| >allow queries from my server to other servers. > >| >I tried a variety of rules from the rc.firewall file, but it's still >| >blocking some traffic, so there must be something I'm missing. > >| Take a look at /etc/rc.firewall: >| >| # Allow DNS queries out in the world >| ipfw add pass udp from any 53 to ${ip} >| ipfw add pass udp from ${ip} to any 53 >| >| You will need to enable same setup as above but for tcp for zone >| transfers (someone correct me if I am wrong). >| >| Also take a look at FreeBSD ipfw Configuration Page: >| http://www.metronet.com/~pgilley/freebsd/ipfw > >AFAIK DNS zone-transfers are handled over via 53 aswell, I can't find >another listing for 'Domain Name Server' in /etc/services so I assume >the above will work fine. > >Regards, > >Jay Tribick >-- >[| Network Administrator | FastNet International | http://fast.net.uk/ |] >[| Finger netadmin@fastnet.co.uk for contact information |] >[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message