Date: Tue, 3 Jun 1997 18:01:37 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: "Daniel O'Callaghan" <danny@panda.hilink.com.au> Cc: Harlan Stenn <Harlan.Stenn@pfcs.com>, hackers@FreeBSD.ORG Subject: Re: Improvements to rc.firewall? Message-ID: <Pine.BSF.3.95.970603180035.28367B-100000@alive.znep.com> In-Reply-To: <Pine.BSF.3.91.970604090420.9382C-100000@panda.hilink.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Jun 1997, Daniel O'Callaghan wrote: > > On Tue, 3 Jun 1997, Harlan Stenn wrote: > > > H> I checked this out by doing a tcpdump of my ppp link, and looked at > > H> all of the DNS traffic. Responses to my queries came in to *my* port > > H> 53. > > > > dOc> Are you running your own named locally? That would be why. > > > > Yes, I am. Thanks for the explanation. > > > > Perhaps we should explain that of somebody wants a working firewall > > they'll have to run a local (caching or forwarding only, even) > > nameserver, too. > > It depends on how "working" a firewall you need. If you don't run a > local nameserver, you can simply deny all udp packets arriving with src port > 53 which don't come from the name server defined in /etc/resolv.conf. > If you want to run your own caching named, add a forwarder and the word > 'slave' to your /etc/named.boot, and only allow udp src port 53 from your > forwarder. > If you run your own named, and you don't run it as a slave, you *must* > accept udp packets with src port 53 and dst port 53 from anyone with > ipfw. The alternative is to use ipfilter with 'keep state'. You must accept them to the host, but that doesn't mean you have to allow them through the firewall. At the very least, the current ruleset should be commented with a big "this is a bad thing, it allows packets into your network where they really shouldn't be".
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970603180035.28367B-100000>