From owner-freebsd-security Wed Jun 14 2:14:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193]) by hub.freebsd.org (Postfix) with ESMTP id 4C41637BD97 for ; Wed, 14 Jun 2000 02:14:11 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id JAA17926; Wed, 14 Jun 2000 09:13:35 GMT Message-ID: <39474CBF.30869244@algroup.co.uk> Date: Wed, 14 Jun 2000 10:13:35 +0100 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.72 [en] (Win95; U) X-Accept-Language: en MIME-Version: 1.0 To: Hugh Ho Cc: freebsd-security@freebsd.org Subject: Re: IPFW rules for DNS? References: <20000613014237.10942.qmail@web210.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hugh Ho wrote: > > I need to do nslookup quite often, and I have the following IPFW rules which > allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > > Problem with the above rules is that people can pass IPFW if they use UDP port > 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my > problem? $fwcmd add pass udp from any to ${dns_server} 53 $fwcmd add deny log udp from any to ${my_ip} 0-1023,1110,2049 $fwcmd add pass udp from any to any This blocks low port udp plus high ports used by NFS (you need to add any others you might be using) but allows the high port DNS replies. You will get occasional DNS lookup failures when the client happens to choose port 1110 or 2049 for it's reply listener. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message