From owner-freebsd-security Wed Dec 26 12:24:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (veldy-host33.dsl.visi.com [209.98.200.33]) by hub.freebsd.org (Postfix) with ESMTP id 7B9E237B50F for ; Wed, 26 Dec 2001 12:24:34 -0800 (PST) Received: from HP2500B (localhost.veldy.net [127.0.0.1]) by veldy.net (Postfix) with SMTP id 26ACC1A110 for ; Wed, 26 Dec 2001 14:24:33 -0600 (CST) Message-ID: <00ea01c18e4b$19edf0c0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: References: <20011226194513.76507.qmail@web11801.mail.yahoo.com> Subject: Re: Help with ipfw rules to allow DNS queries through Date: Wed, 26 Dec 2001 14:22:54 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Try replacing your DNS rules with this: # Allow access to our DNS ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any Straight out of /etc/rc.firewall. I don't think the first line is really necessary, and in fact, it probably allows zone transfers, so if you don't want these, don't include it. Tom Veldhouse veldy71@yahoo.com ----- Original Message ----- From: "X Philius" To: Sent: Wednesday, December 26, 2001 1:45 PM Subject: Help with ipfw rules to allow DNS queries through > Security Folks, > I have a stand alone server co-located on my employers T1 line. As I > am behind NAT, but not behind a firewall, I have set up ipfw so I can > have *some* control over what gets in and out of my machine. One more > layer in the security onion! > > My box is set up as a web server, shoutcast server, and Darwin > Quicktime Streaming Video server. I would like to add DNS to the mix so > I can cheaply host domains for my friends and family, but my ipfw rules > are hanging me up. All the rules below seem to work as I would expect, > except for my attempt to allow DNS queries in and out. The current rule > set does not even appear to allow me to access an outside DNS server > (ie the server listed in my resolv.conf), much less allow my machine to > be accessed by others as a DNS server. I started out with the example > 'client' rule set, and added holes for SSH, Darwin and the Shoutcast > servers. > > I do not think this is a factor (it didn't work before my upgrade > either) but I originally set up this rule set under 4.1 Release, and I > am now running 4.4 Release. I believe there were some changes to ipfw > in the transition, but the example rc.firewall looked about the same to > me, so I assume the changes were under the hood. > > As you can infer from my attempt to add the DNS rules below, I know > there is a UDP and a TCP component to DNS queries, but apparently I do > not have the full picture ;-) > > Can you suggest a set of rules to allow DNS queries in and out of my > server? As I said, the rest of the rules *seem* to work fine as is, but > if you see anything else I am not doing right I'd appreciate any tips. > > Thanks in advance! > > Jason > > > # set these to your network and netmask and ip > net="10.1.3.0" > mask="255.255.255.0" > ip="10.1.3.2" > > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag > > # Allow setup of incoming email > ${fwcmd} add pass tcp from any to ${ip} 25 setup > > # Allow incoming SSH requests > ${fwcmd} add pass tcp from any to ${ip} 22 > > # Allow incoming HTTP requests > ${fwcmd} add pass tcp from any to ${ip} 80 > > # Allow incoming FTP requests > ${fwcmd} add pass tcp from any to ${ip} 21 > > # Allow incoming POP requests > ${fwcmd} add pass tcp from any to ${ip} 110 > > # Allow incoming Darwin requests (also uses port 80) > ${fwcmd} add pass tcp from any to ${ip} 554 > ${fwcmd} add pass tcp from any to ${ip} 7070 > > # Allow outgoing UDP connections of Darwin media > ${fwcmd} add pass udp from ${ip} to any 6970-6975 > > # Allow incoming Shoutcast requests > ${fwcmd} add pass tcp from any to ${ip} 8008 > ${fwcmd} add pass tcp from any to ${ip} 8009 > ${fwcmd} add pass tcp from any to ${ip} 7007 > ${fwcmd} add pass tcp from any to ${ip} 7008 > > # Allow DNS queries out and in > ${fwcmd} add pass tcp from any to ${ip} 53 setup > ${fwcmd} add pass udp from any to ${ip} 53 > ${fwcmd} add pass udp from ${ip} 53 to any > > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup > > # Allow setup of outgoing TCP connections > ${fwcmd} add pass tcp from ${ip} to any setup > > # Disallow setup of all other TCP connections > ${fwcmd} add deny tcp from any to any setup > > # Everything else is denied by default, unless the > # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel > # config file. > ;; > > > __________________________________________________ > Do You Yahoo!? > Send your FREE holiday greetings online! > http://greetings.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message