From owner-freebsd-security Mon Jul 27 12:05:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA16441 for freebsd-security-outgoing; Mon, 27 Jul 1998 12:05:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from leaf.lumiere.net (j@leaf.lumiere.net [207.218.152.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA16305 for ; Mon, 27 Jul 1998 12:04:40 -0700 (PDT) (envelope-from j@leaf.lumiere.net) Received: (from j@localhost) by leaf.lumiere.net (8.9.1/8.9.1) id MAA22128; Mon, 27 Jul 1998 12:03:56 -0700 (PDT) Date: Mon, 27 Jul 1998 12:03:56 -0700 (PDT) From: Jesse To: Mike cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > hehe). Anyway, I was wondering what are the minimum rules necessary to > > allow DNS queries/transfers from other servers to my server, and also to > > allow queries from my server to other servers. > > I'm running BIND8, and would suggest that you simply use an > 'allow-transfer' statement in named.conf if you are doing the same. > Unless you prefer using ipfw for some reason, setup and maintenance seems > much simpler and understandable through named.conf. Hi Mike, The reason is, because even if I allow that, an ipfw firewall that denies everything except what is specifically allowed will still prevent all DNS activity. I think the others covered it pretty well though. And thanks for the allow-transfer tip, I can probably use that in addition to the ipfw rules. :) > > allow-transfer { > 10.2.0.1; // ips of servers to allow... > 10.2.0.3; > //etc... > }; > > -mike > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message