Date: Wed, 11 Jun 1997 02:08:11 -0700 (PDT) From: Dmitry Kohmanyuk <dk@dog.farm.org> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: freebsd-hackers@freebsd.org Subject: Re: Improvements to rc.firewall? Message-ID: <199706110908.CAA10686@dog.farm.org>
next in thread | raw e-mail | index | archive | help
In article <199706021148.EAA14857@hub.freebsd.org> you wrote: > Hmmm, ipfilter doesn't necessarily expose you to this... > pass out on ppp0 proto udp from <thishost> port = 53 to any keep state > (it will parse that too!) althought the timeout is not short. this will > automatically let the reply packets back in. > only a named should be talking to an external named so you can do filter > packets to/from port 53. Beware folks, BIND 8.1 issues UDP queries from _any_ port by default (older binds used port 53 when originating only). It can be configured to use any other port; Vixie uses 42 himself, he told. Also, TCP queries can be used instead of UDP - there are indeed some names which have lots of MXes / As and resolvers have the right to use TCP anytime for reliable delivery. So, the modern rule is `allow from any host:any port to our host:53 tcp|udp' for all queries to our name servers to work.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199706110908.CAA10686>