From owner-freebsd-security Thu Dec 27 0:39:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 56A0137B416 for ; Thu, 27 Dec 2001 00:39:04 -0800 (PST) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id TAA09049; Thu, 27 Dec 2001 19:38:44 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 27 Dec 2001 19:38:44 +1100 (EST) From: Ian Smith Reply-To: Ian Smith To: X Philius Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven Subject: Re: Help with ipfw rules to allow DNS queries through In-Reply-To: <20011227014709.9820.qmail@web11806.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Dec 2001, X Philius wrote: > I am currently using an external DNS server via resolv.conf, you are > correct. I would think that the generic rule to allow all internally > established connections (both udp and tcp) to pass through would allow > this, even without any port specific rules. Is this not correct? > > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup There's no concept of 'setup' with UDP connections. You should find that ipfw (perhaps silently?) failed to add this rule, blowing away most UDP from your box, including DNS, if I'm read your ruleset rightly? Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? 'ipfw -t show | less' is handy to see what's happening, as is tcpdump .. [..] > I used to have named set up on my machine, before I upgraded to 4.4R, > and I plan to set it up again. However, before I upgraded I was using > this rule set, and it did not seem to allow me to access my machine as > a name server from another machine. I am not 100% sure that I tested it !ipfw add 702 count udp from any to any setup ipfw: error: unknown argument ``setup'' usage: ipfw [options] ... > properly though, so the general question is; should I be able to use > this ruleset if I want to use my machine as a names server, ie to be > accessed by an external client, and authoratative on a domain or > twelve? Sure. Assuming your NAT etc is configured right, and the Cisco upstream is playing fair, you'd be well advised to follow up Dave Raven's message re bind setup to allow internal / deny external recursion and transfers. Of course you'll want to allow xfers as well with outside primaries and secondaries, and may need to add ipfw rules for them. We also share hosting a few domains with/for friends on lil systems, and log heaps of DNS subnet scanning and such, and the occasional poisoning attempt. man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts then increases by 1 the level of named logging, to /var/tmp/named.run - using Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging of all DNS activity for as much bind self-education as you've time for .. > As someone else mentioned, this is pretty much verbatim from > the default rc.firewall. > > # Allow DNS queries out and in > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any Only the comment differs from the alternatives posted :) It seems that more than DNS would be affected by a loss of outgoing UDP, if that is the case, but then you may have allowed everything else you want like quicktime and other streaming protocols (which caught my eye!) > Thanks much for your reply! I can't wait to get this working. tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a window inspires confidence when named's doing its thang. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message