From owner-freebsd-security Thu Dec 27 6:21: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11804.mail.yahoo.com (web11804.mail.yahoo.com [216.136.172.158]) by hub.freebsd.org (Postfix) with SMTP id 5D0A537B41C for ; Thu, 27 Dec 2001 06:20:28 -0800 (PST) Message-ID: <20011227142028.13343.qmail@web11804.mail.yahoo.com> Received: from [64.73.64.94] by web11804.mail.yahoo.com via HTTP; Thu, 27 Dec 2001 06:20:28 PST Date: Thu, 27 Dec 2001 06:20:28 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: Ian Smith Cc: "G.P. de Boer" , security@FreeBSD.ORG, Dave Raven In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ian and Security Wizards, Thanks a whole heap! It looks to me that I have enough material here to get this working. I am guessing that this broken UDP rule may have been messing me up. I will put all these suggestions in place and post a note next week when I have everything humming along. Jason --- Ian Smith wrote: > On Wed, 26 Dec 2001, X Philius wrote: > > > I am currently using an external DNS server via resolv.conf, you > are > > correct. I would think that the generic rule to allow all > internally > > established connections (both udp and tcp) to pass through would > allow > > this, even without any port specific rules. Is this not correct? > > > > # Allow set up of outgoing UDP connections > > ${fwcmd} add pass udp from ${ip} to any setup > > There's no concept of 'setup' with UDP connections. You should find > that ipfw (perhaps silently?) failed to add this rule, blowing away > most > UDP from your box, including DNS, if I'm read your ruleset rightly? > > Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? > 'ipfw -t show | less' is handy to see what's happening, as is tcpdump > .. > > [..] > > > I used to have named set up on my machine, before I upgraded to > 4.4R, > > and I plan to set it up again. However, before I upgraded I was > using > > this rule set, and it did not seem to allow me to access my > machine as > > a name server from another machine. I am not 100% sure that I > tested it > > !ipfw add 702 count udp from any to any setup > ipfw: error: unknown argument ``setup'' > usage: ipfw [options] ... > > > properly though, so the general question is; should I be able to > use > > this ruleset if I want to use my machine as a names server, ie to > be > > accessed by an external client, and authoratative on a domain or > > twelve? > > Sure. Assuming your NAT etc is configured right, and the Cisco > upstream > is playing fair, you'd be well advised to follow up Dave Raven's > message > re bind setup to allow internal / deny external recursion and > transfers. > > Of course you'll want to allow xfers as well with outside primaries > and > secondaries, and may need to add ipfw rules for them. We also share > hosting a few domains with/for friends on lil systems, and log heaps > of > DNS subnet scanning and such, and the occasional poisoning attempt. > > man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts > then > increases by 1 the level of named logging, to /var/tmp/named.run - > using > Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging > of > all DNS activity for as much bind self-education as you've time for > .. > > > As someone else mentioned, this is pretty much verbatim from > > the default rc.firewall. > > > > # Allow DNS queries out and in > > ${fwcmd} add pass tcp from any to ${ip} 53 setup > > ${fwcmd} add pass udp from any to ${ip} 53 > > ${fwcmd} add pass udp from ${ip} 53 to any > > Only the comment differs from the alternatives posted :) > > It seems that more than DNS would be affected by a loss of outgoing > UDP, > if that is the case, but then you may have allowed everything else > you > want like quicktime and other streaming protocols (which caught my > eye!) > > > Thanks much for your reply! I can't wait to get this working. > > tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a > window inspires confidence when named's doing its thang. > > Cheers, Ian > __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message