From owner-freebsd-security Thu Feb 22 17: 0:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C03DF37B401 for ; Thu, 22 Feb 2001 17:00:24 -0800 (PST) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA30701; Thu, 22 Feb 2001 17:00:16 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30695; Thu Feb 22 17:00:01 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f1N0xtE30907; Thu, 22 Feb 2001 16:59:55 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdw30905; Thu Feb 22 16:59:19 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.2/8.9.1) id f1N0xIp65074; Thu, 22 Feb 2001 16:59:18 -0800 (PST) Message-Id: <200102230059.f1N0xIp65074@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdm65068; Thu Feb 22 16:58:18 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "H. Wade Minter" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Best way for one-way DNS traffic In-reply-to: Your message of "Thu, 22 Feb 2001 13:32:32 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 22 Feb 2001 16:58:17 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "H. Wade Minter" writes: > My gateway box is running a name server for my home network. Internal > clients point to the gateway box for DNS service, and the gateway goes out > and resolves DNS queries. > > I've also got an ipfw firewall on the gateway. What I'd like to do is > make it so internal DNS works like it should, but nobody on the outside > should be able to connect to port 53.sadm@unired.net.pe Statefull firewall and forwarding options in named (forwarding to limit your exposure to a few hosts, your ISP's name servers, on the Internet). Run named as a non-privileged user (-u -g), chroot (-t). Make sure that the named user cannot write to any file or directory in the chroot environment except for /var/run and /var/log. Mount noexec /var/log using nullfs or unionfs with -r option to restrict execution of binaries in your chroot environment. Other things you should do are install tripwire and monitor your logs religiously. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message