From owner-freebsd-questions@FreeBSD.ORG Wed Jul 9 10:57:43 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64A48106564A for ; Wed, 9 Jul 2008 10:57:43 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 370158FC1A for ; Wed, 9 Jul 2008 10:57:43 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 1AA081CD18; Wed, 9 Jul 2008 02:57:42 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Wed, 9 Jul 2008 12:57:24 +0200 User-Agent: KMail/1.9.7 References: <4873927E.3050307@godfur.com> <200807082004.25873.fbsd.questions@rachie.is-a-geek.net> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200807091257.24627.fbsd.questions@rachie.is-a-geek.net> Cc: Subject: Re: ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 10:57:43 -0000 On Tuesday 08 July 2008 23:07:58 Chuck Swiger wrote: > On Jul 8, 2008, at 11:04 AM, Mel wrote: > > On Tuesday 08 July 2008 19:07:02 Matthew Seaman wrote: > >> You can configure named to always send packets using a > >> fixed port number (which can be helpful for firewalling) > > > > Purely outof interest, which (useful) firewall/nat rules cannot be > > made with > > dest port 53, that can be made with source port 53. Not talking > > syntax, > > but "business logically". > > Please note that using the same port for answering queries makes it > vastly easier for somebody to spoof your DNS traffic. Unless you are > one of the handful using DNSSEC, that is. That's exactly why I asked. I don't see a reason to use a fixed source port, since you can always make rules (even for bandwidth shaping) based on destination port only. The only difference you'll able to account for is "resolver clients querying directly to the internet installed on the machine with your DNS server" vs the DNS server itself. IMO, that distinction is not worth the risk or even important in any accounting/bandwidth shaping scheme. But I may have overlooked a valid scenario. -- Mel Problem with today's modular software: they start with the modules and never get to the software part.