From owner-freebsd-security  Fri Jul 19 13:21:45 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D56037B400
	for <security@freebsd.org>; Fri, 19 Jul 2002 13:21:44 -0700 (PDT)
Received: from everlast.whitebird.no (everlast.whitebird.no [217.118.36.94])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5EF2B43E3B
	for <security@freebsd.org>; Fri, 19 Jul 2002 13:21:43 -0700 (PDT)
	(envelope-from arvinn@whitebird.no)
Received: from everlast.whitebird.no (localhost.whitebird.no [127.0.0.1])
	by everlast.whitebird.no (Postfix) with SMTP
	id 523CC57C3; Fri, 19 Jul 2002 22:26:55 +0200 (CEST)
Received: from 217.118.33.65
        (SquirrelMail authenticated user arvinn)
        by everlast.whitebird.no with HTTP;
        Fri, 19 Jul 2002 22:26:55 +0200 (CEST)
Message-ID: <4181.217.118.33.65.1027110415.squirrel@everlast.whitebird.no>
Date: Fri, 19 Jul 2002 22:26:55 +0200 (CEST)
Subject: RE: ipfw and it's glory...
From: "=?iso-8859-1?Q?Arvinn_L=F8kkebakken?=" <arvinn@whitebird.no>
To: <sabri@cluecentral.net>
In-Reply-To: <20020717153409.Y86012-100000@doos.cluecentral.net>
References: <6C506EA550443D44A061432F1E92EA4C6C5364@ing.com>
        <20020717153409.Y86012-100000@doos.cluecentral.net>
X-Priority: 3
Importance: Normal
X-MSMail-Priority: Normal
Cc: <Danny.Carroll@mail.ing.nl>, <bart@dreamflow.nl>,
	<security@freebsd.org>
X-Mailer: SquirrelMail (version 1.2.7)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

>> But it's source port will be 53.  So you can put in a rule for that.
>> Plus it's only 1 or 2 servers so you can put in special rules for
>> them.
>
> Unless you run a local dnscache (which I would do).
>

So what? The scenario is the same! Even though it's cahing dns info it
have to go out there to get the info in the first place. Computers on the
inside segment though doesn't need to get through the firewall to port 53,
but the dns server itself has to!

Arvinn




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message