From owner-freebsd-hackers Tue Jun 3 16:08:56 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA29747 for hackers-outgoing; Tue, 3 Jun 1997 16:08:56 -0700 (PDT) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA29735 for ; Tue, 3 Jun 1997 16:08:50 -0700 (PDT) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id JAA13596; Wed, 4 Jun 1997 09:08:39 +1000 (EST) Date: Wed, 4 Jun 1997 09:08:38 +1000 (EST) From: "Daniel O'Callaghan" To: Harlan Stenn cc: hackers@FreeBSD.ORG Subject: Re: Improvements to rc.firewall? In-Reply-To: <27736.865360072@mumps.pfcs.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Tue, 3 Jun 1997, Harlan Stenn wrote: > H> I checked this out by doing a tcpdump of my ppp link, and looked at > H> all of the DNS traffic. Responses to my queries came in to *my* port > H> 53. > > dOc> Are you running your own named locally? That would be why. > > Yes, I am. Thanks for the explanation. > > Perhaps we should explain that of somebody wants a working firewall > they'll have to run a local (caching or forwarding only, even) > nameserver, too. It depends on how "working" a firewall you need. If you don't run a local nameserver, you can simply deny all udp packets arriving with src port 53 which don't come from the name server defined in /etc/resolv.conf. If you want to run your own caching named, add a forwarder and the word 'slave' to your /etc/named.boot, and only allow udp src port 53 from your forwarder. If you run your own named, and you don't run it as a slave, you *must* accept udp packets with src port 53 and dst port 53 from anyone with ipfw. The alternative is to use ipfilter with 'keep state'. /* Daniel O'Callaghan */ /* HiLink Internet danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */