From owner-freebsd-hackers Wed Jun 11 02:09:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA11654 for hackers-outgoing; Wed, 11 Jun 1997 02:09:27 -0700 (PDT) Received: from minor.stranger.com (stranger.vip.best.com [204.156.129.250]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id CAA11649 for ; Wed, 11 Jun 1997 02:09:24 -0700 (PDT) Received: from dog.farm.org (dog.farm.org [207.111.140.47]) by minor.stranger.com (8.6.12/8.6.12) with ESMTP id CAA20113; Wed, 11 Jun 1997 02:45:30 -0700 Received: (from dk@localhost) by dog.farm.org (8.7.5/dk#3) id CAA10686; Wed, 11 Jun 1997 02:08:11 -0700 (PDT) Date: Wed, 11 Jun 1997 02:08:11 -0700 (PDT) From: Dmitry Kohmanyuk Message-Id: <199706110908.CAA10686@dog.farm.org> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: freebsd-hackers@freebsd.org Subject: Re: Improvements to rc.firewall? Newsgroups: cs-monolit.gated.lists.freebsd.hackers Organization: FARM Computing Association Reply-To: dk+@ua.net X-Newsreader: TIN [version 1.2 PL2] Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In article <199706021148.EAA14857@hub.freebsd.org> you wrote: > Hmmm, ipfilter doesn't necessarily expose you to this... > pass out on ppp0 proto udp from port = 53 to any keep state > (it will parse that too!) althought the timeout is not short. this will > automatically let the reply packets back in. > only a named should be talking to an external named so you can do filter > packets to/from port 53. Beware folks, BIND 8.1 issues UDP queries from _any_ port by default (older binds used port 53 when originating only). It can be configured to use any other port; Vixie uses 42 himself, he told. Also, TCP queries can be used instead of UDP - there are indeed some names which have lots of MXes / As and resolvers have the right to use TCP anytime for reliable delivery. So, the modern rule is `allow from any host:any port to our host:53 tcp|udp' for all queries to our name servers to work.