Date: Thu, 22 Feb 2001 16:58:17 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: "H. Wade Minter" <minter@lunenburg.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best way for one-way DNS traffic Message-ID: <200102230059.f1N0xIp65074@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 22 Feb 2001 13:32:32 EST." <Pine.BSF.4.33.0102212230430.57938-100000@ashburn.skiltech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.33.0102212230430.57938-100000@ashburn.skiltech.co m>, "H. Wade Minter" writes: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe Statefull firewall and forwarding options in named (forwarding to limit your exposure to a few hosts, your ISP's name servers, on the Internet). Run named as a non-privileged user (-u -g), chroot (-t). Make sure that the named user cannot write to any file or directory in the chroot environment except for <chroot>/var/run and <chroot> /var/log. Mount noexec <chroot>/var/log using nullfs or unionfs with -r option to restrict execution of binaries in your chroot environment. Other things you should do are install tripwire and monitor your logs religiously. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102230059.f1N0xIp65074>