From owner-freebsd-security Mon Jul 27 02:58:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA14262 for freebsd-security-outgoing; Mon, 27 Jul 1998 02:58:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA14156 for ; Mon, 27 Jul 1998 02:58:22 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 27058 invoked by uid 1001); 27 Jul 1998 09:57:52 +0000 (GMT) To: jkb@best.com Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Your message of "Mon, 27 Jul 1998 02:22:25 -0700 (PDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 27 Jul 1998 11:57:51 +0200 Message-ID: <27056.901533471@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> # Allow DNS queries out in the world > >> ipfw add pass udp from any 53 to ${ip} > >> ipfw add pass udp from ${ip} to any 53 > >> > >> You will need to enable same setup as above but for tcp for zone > >> transfers (someone correct me if I am wrong). > > > >Unfortunately, it's not quite that simple: > > > > Hmm.. You sure? Not according to Stevens and my tcpdump: I'm sure. We're talking about different things. > >- You can't know the source port in zone transfers initiated from your > >own name server. It won't be 53 - remember that zone transfers are > >performed by a separate program (named-xfer). Notice I said "initiated from your own name server". I am talking about a name server that is *inside* the firewall, initiating a zone transfer from a name server that is *outside* the firewall - presumably because the name server inside is secondary for some of the zones on the name server outside the firewall. The port number for the name server which initiates the zone transfer will *not* be 53. In your case, you're the one initiating the zone transfer, and your port number is 2509. > >- If you use BIND 8, the source port for queries initiated by the name > >server itself will *not* be 53 unless you explicitly say so. > > Source port for queries will be greater then 1024 (e.g.: port 2509 > above). Destination port for queries will be DNS server, which runs on > port 53. Are we talking about two different things here? :) Again, I'm talking about a name server *inside* the firewall sending queries to name servers outside. BIND 8 behaves differently from BIND 4 by default. A name server sometimes needs to initiate queries by itself (eg. to perform a recursive query on behalf of a client). The *source port* for queries initiated by the name server itself *will not* be 53 in BIND 8 unless you specifically tell it so. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message