Date: Wed, 14 Jun 2000 10:13:35 +0100 From: Adam Laurie <adam@algroup.co.uk> To: Hugh Ho <hho321@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: IPFW rules for DNS? Message-ID: <39474CBF.30869244@algroup.co.uk> References: <20000613014237.10942.qmail@web210.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hugh Ho wrote:
>
> I need to do nslookup quite often, and I have the following IPFW rules which
> allow nslookup to talk to my ISP's DNS server:
>
> allow udp from ${my_ip} to ${dns_server} 53
> allow udp from ${dns_server} 53 to ${my_ip}
>
> Problem with the above rules is that people can pass IPFW if they use UDP port
> 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to fix my
> problem?
$fwcmd add pass udp from any to ${dns_server} 53
$fwcmd add deny log udp from any to ${my_ip} 0-1023,1110,2049
$fwcmd add pass udp from any to any
This blocks low port udp plus high ports used by NFS (you need to add
any others you might be using) but allows the high port DNS replies. You
will get occasional DNS lookup failures when the client happens to
choose port 1110 or 2049 for it's reply listener.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39474CBF.30869244>