From owner-freebsd-security  Thu Dec 27  6:21: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from web11804.mail.yahoo.com (web11804.mail.yahoo.com [216.136.172.158])
	by hub.freebsd.org (Postfix) with SMTP id 5D0A537B41C
	for <security@FreeBSD.ORG>; Thu, 27 Dec 2001 06:20:28 -0800 (PST)
Message-ID: <20011227142028.13343.qmail@web11804.mail.yahoo.com>
Received: from [64.73.64.94] by web11804.mail.yahoo.com via HTTP; Thu, 27 Dec 2001 06:20:28 PST
Date: Thu, 27 Dec 2001 06:20:28 -0800 (PST)
From: X Philius <xphilius@yahoo.com>
Reply-To: xphilius@yahoo.com
Subject: Re: Help with ipfw rules to allow DNS queries through
To: Ian Smith <smithi@nimnet.asn.au>
Cc: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>, security@FreeBSD.ORG,
	Dave Raven <dave@kill-9.za.net>
In-Reply-To: <Pine.BSF.3.96.1011227181920.6650A-100000@gaia.nimnet.asn.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Ian and Security Wizards,
Thanks a whole heap! It looks to me that I have enough material here to
get this working. I am guessing that this broken UDP rule may have been
messing me up. I will put all these suggestions in place and post a
note next week when I have everything humming along.

Jason

--- Ian Smith <smithi@nimnet.asn.au> wrote:
> On Wed, 26 Dec 2001, X Philius wrote:
> 
>  > I am currently using an external DNS server via resolv.conf, you
> are
>  > correct. I would think that the generic rule to allow all
> internally
>  > established connections (both udp and tcp) to pass through would
> allow
>  > this, even without any port specific rules. Is this not correct?
>  > 
>  > 	# Allow set up of outgoing UDP connections
>  > 	${fwcmd} add pass udp from ${ip} to any setup
> 
> There's no concept of 'setup' with UDP connections.  You should find
> that ipfw (perhaps silently?) failed to add this rule, blowing away
> most
> UDP from your box, including DNS, if I'm read your ruleset rightly? 
> 
> Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? 
> 'ipfw -t show | less' is handy to see what's happening, as is tcpdump
> ..
> 
> [..]
> 
>  >  I used to have named set up on my machine, before I upgraded to
> 4.4R,
>  > and I plan to set it up again. However, before I upgraded I was
> using
>  > this rule set, and it did not seem to allow me to access my
> machine as
>  > a name server from another machine. I am not 100% sure that I
> tested it
> 
> !ipfw add 702 count udp from any to any setup
> ipfw: error: unknown argument ``setup''
> usage: ipfw [options] ...
> 
>  > properly though, so the general question is; should I be able to
> use
>  > this ruleset if I want to use my machine as a names server, ie to
> be
>  > accessed by an external client, and authoratative on a domain or
>  > twelve?
> 
> Sure.  Assuming your NAT etc is configured right, and the Cisco
> upstream
> is playing fair, you'd be well advised to follow up Dave Raven's
> message
> re bind setup to allow internal / deny external recursion and
> transfers.
> 
> Of course you'll want to allow xfers as well with outside primaries
> and
> secondaries, and may need to add ipfw rules for them.  We also share
> hosting a few domains with/for friends on lil systems, and log heaps
> of
> DNS subnet scanning and such, and the occasional poisoning attempt.
> 
> man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts
> then
> increases by 1 the level of named logging, to /var/tmp/named.run -
> using
> Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging
> of
> all DNS activity for as much bind self-education as you've time for
> ..
> 
>  > As someone else mentioned, this is pretty much verbatim from
>  > the default rc.firewall.
>  > 
>  > # Allow DNS queries out  and in
>  > ${fwcmd} add pass tcp from any to ${ip} 53 setup
>  > ${fwcmd} add pass udp from any to ${ip} 53
>  > ${fwcmd} add pass udp from ${ip} 53 to any
> 
> Only the comment differs from the alternatives posted :)
> 
> It seems that more than DNS would be affected by a loss of outgoing
> UDP,
> if that is the case, but then you may have allowed everything else
> you
> want like quicktime and other streaming protocols (which caught my
> eye!)
> 
>  > Thanks much for your reply! I can't wait to get this working.
> 
> tcpdump is your good mate.  Here 'tcpdump -pen -i tun0 port 53' in a
> window inspires confidence when named's doing its thang.
> 
> Cheers, Ian
> 


__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message