From owner-freebsd-security Mon Jul 27 02:23:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA08522 for freebsd-security-outgoing; Mon, 27 Jul 1998 02:23:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA08490 for ; Mon, 27 Jul 1998 02:23:01 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id CAA05136; Mon, 27 Jul 1998 02:22:25 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 27 Jul 1998 02:22:25 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: sthaug@nethelp.no cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: <25685.901530296@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998 sthaug@nethelp.no wrote: >> Take a look at /etc/rc.firewall: >> >> # Allow DNS queries out in the world >> ipfw add pass udp from any 53 to ${ip} >> ipfw add pass udp from ${ip} to any 53 >> >> You will need to enable same setup as above but for tcp for zone >> transfers (someone correct me if I am wrong). > >Unfortunately, it's not quite that simple: > Hmm.. You sure? Not according to Stevens and my tcpdump: >- You can't know the source port in zone transfers initiated from your >own name server. It won't be 53 - remember that zone transfers are >performed by a separate program (named-xfer). This is from running "host -l some.host" in the other xterm: 02:15:05.598279 nfr.2509 > 209.157.102.11.domain: S 3408638927:3408638927(0) win 16384 (DF) 02:15:05.636200 209.157.102.11.domain > nfr.2509: S 3345473533:3345473533(0) ack 3408638928 win 17280 (DF) 02:15:05.636284 nfr.2509 > 209.157.102.11.domain: . ack 1 win 17280 (DF) 02:15:05.636391 nfr.2509 > 209.157.102.11.domain: P 1:3(2) ack 1 win 17280 (DF) 02:15:05.789950 209.157.102.11.domain > nfr.2509: . ack 3 win 17280 (DF) 02:15:05.790049 nfr.2509 > 209.157.102.11.domain: P 3:31(28) ack 1 win 17280 (DF) 02:15:05.920407 209.157.102.11.domain > nfr.2509: P 1:717(716) ack 31 win [snip] It is going from my host, nfr to the nameserver, 209.157.192.11, destination port 53 using tcp. Replies are coming back from 209.157.192.11, port 53 using tcp back to me. I don't see how this is "won't be 53" -- am I missing something in this picture? > >- If you use BIND 8, the source port for queries initiated by the name >server itself will *not* be 53 unless you explicitly say so. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no Source port for queries will be greater then 1024 (e.g.: port 2509 above). Destination port for queries will be DNS server, which runs on port 53. Are we talking about two different things here? :) -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message