Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 27 Jul 1998 11:57:51 +0200
From:      sthaug@nethelp.no
To:        jkb@best.com
Cc:        j@lumiere.net, freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw rules to allow DNS activity
Message-ID:  <27056.901533471@verdi.nethelp.no>
In-Reply-To: Your message of "Mon, 27 Jul 1998 02:22:25 -0700 (PDT)"
References:  <Pine.BSF.3.96.980727021508.4055A-100000@shell6.ba.best.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> >>         # Allow DNS queries out in the world
> >>         ipfw add pass udp from any 53 to ${ip}
> >>         ipfw add pass udp from ${ip} to any 53
> >> 
> >> 	You will need to enable same setup as above but for tcp for zone
> >> 	transfers (someone correct me if I am wrong).
> >
> >Unfortunately, it's not quite that simple:
> >
> 
> 	Hmm.. You sure? Not according to Stevens and my tcpdump:

I'm sure. We're talking about different things.

> >- You can't know the source port in zone transfers initiated from your
> >own name server. It won't be 53 - remember that zone transfers are
> >performed by a separate program (named-xfer).

Notice I said "initiated from your own name server". I am talking about
a name server that is *inside* the firewall, initiating a zone transfer
from a name server that is *outside* the firewall - presumably because
the name server inside is secondary for some of the zones on the name
server outside the firewall. The port number for the name server which
initiates the zone transfer will *not* be 53. In your case, you're the
one initiating the zone transfer, and your port number is 2509.

> >- If you use BIND 8, the source port for queries initiated by the name
> >server itself will *not* be 53 unless you explicitly say so.
> 
> 	Source port for queries will be greater then 1024 (e.g.: port 2509
> above). Destination port for queries will be DNS server, which runs on
> port 53. Are we talking about two different things here? :)

Again, I'm talking about a name server *inside* the firewall sending
queries to name servers outside.

BIND 8 behaves differently from BIND 4 by default. A name server sometimes
needs to initiate queries by itself (eg. to perform a recursive query on
behalf of a client). The *source port* for queries initiated by the name
server itself *will not* be 53 in BIND 8 unless you specifically tell it
so.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27056.901533471>