Date: Thu, 27 Dec 2001 06:20:28 -0800 (PST) From: X Philius <xphilius@yahoo.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>, security@FreeBSD.ORG, Dave Raven <dave@kill-9.za.net> Subject: Re: Help with ipfw rules to allow DNS queries through Message-ID: <20011227142028.13343.qmail@web11804.mail.yahoo.com> In-Reply-To: <Pine.BSF.3.96.1011227181920.6650A-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian and Security Wizards,
Thanks a whole heap! It looks to me that I have enough material here to
get this working. I am guessing that this broken UDP rule may have been
messing me up. I will put all these suggestions in place and post a
note next week when I have everything humming along.
Jason
--- Ian Smith <smithi@nimnet.asn.au> wrote:
> On Wed, 26 Dec 2001, X Philius wrote:
>
> > I am currently using an external DNS server via resolv.conf, you
> are
> > correct. I would think that the generic rule to allow all
> internally
> > established connections (both udp and tcp) to pass through would
> allow
> > this, even without any port specific rules. Is this not correct?
> >
> > # Allow set up of outgoing UDP connections
> > ${fwcmd} add pass udp from ${ip} to any setup
>
> There's no concept of 'setup' with UDP connections. You should find
> that ipfw (perhaps silently?) failed to add this rule, blowing away
> most
> UDP from your box, including DNS, if I'm read your ruleset rightly?
>
> Does the output of 'ipfw list' or 'ipfw show' include that UDP rule?
> 'ipfw -t show | less' is handy to see what's happening, as is tcpdump
> ..
>
> [..]
>
> > I used to have named set up on my machine, before I upgraded to
> 4.4R,
> > and I plan to set it up again. However, before I upgraded I was
> using
> > this rule set, and it did not seem to allow me to access my
> machine as
> > a name server from another machine. I am not 100% sure that I
> tested it
>
> !ipfw add 702 count udp from any to any setup
> ipfw: error: unknown argument ``setup''
> usage: ipfw [options] ...
>
> > properly though, so the general question is; should I be able to
> use
> > this ruleset if I want to use my machine as a names server, ie to
> be
> > accessed by an external client, and authoratative on a domain or
> > twelve?
>
> Sure. Assuming your NAT etc is configured right, and the Cisco
> upstream
> is playing fair, you'd be well advised to follow up Dave Raven's
> message
> re bind setup to allow internal / deny external recursion and
> transfers.
>
> Of course you'll want to allow xfers as well with outside primaries
> and
> secondaries, and may need to add ipfw rules for them. We also share
> hosting a few domains with/for friends on lil systems, and log heaps
> of
> DNS subnet scanning and such, and the occasional poisoning attempt.
>
> man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts
> then
> increases by 1 the level of named logging, to /var/tmp/named.run -
> using
> Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging
> of
> all DNS activity for as much bind self-education as you've time for
> ..
>
> > As someone else mentioned, this is pretty much verbatim from
> > the default rc.firewall.
> >
> > # Allow DNS queries out and in
> > ${fwcmd} add pass tcp from any to ${ip} 53 setup
> > ${fwcmd} add pass udp from any to ${ip} 53
> > ${fwcmd} add pass udp from ${ip} 53 to any
>
> Only the comment differs from the alternatives posted :)
>
> It seems that more than DNS would be affected by a loss of outgoing
> UDP,
> if that is the case, but then you may have allowed everything else
> you
> want like quicktime and other streaming protocols (which caught my
> eye!)
>
> > Thanks much for your reply! I can't wait to get this working.
>
> tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a
> window inspires confidence when named's doing its thang.
>
> Cheers, Ian
>
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011227142028.13343.qmail>