From owner-freebsd-security Wed Jun 14 4:27:12 2000 Delivered-To: freebsd-security@freebsd.org Received: from drawbridge.ctc.com (drawbridge.ctc.com [147.160.99.35]) by hub.freebsd.org (Postfix) with ESMTP id 0BE9537B667 for ; Wed, 14 Jun 2000 04:27:08 -0700 (PDT) (envelope-from cameron@ctc.com) Received: from server2.ctc.com (server2.ctc.com [147.160.1.4]) by drawbridge.ctc.com (8.10.1/8.10.1) with ESMTP id e5EBR5F10774; Wed, 14 Jun 2000 07:27:06 -0400 (EDT) Received: from ctcjst-mail1.ctc.com (ctcjst-mail1.ctc.com [147.160.34.4]) by server2.ctc.com (8.9.3/8.9.3) with ESMTP id HAA18143; Wed, 14 Jun 2000 07:26:56 -0400 (EDT) Received: by ctcjst-mail1.ctc.com with Internet Mail Service (5.5.2650.21) id ; Wed, 14 Jun 2000 07:27:43 -0400 Message-ID: From: "Cameron, Frank" To: "'Hugh Ho'" Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: IPFW rules for DNS? Date: Wed, 14 Jun 2000 07:27:42 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The recent ipfw supports the keep-state option: allow udp from ${my_ip} to ${dns_server} 53 keep-state -frank > -----Original Message----- > From: Hugh Ho [SMTP:hho321@yahoo.com] > Sent: Monday, June 12, 2000 9:43 PM > To: freebsd-security@FreeBSD.ORG > Subject: IPFW rules for DNS? > > I need to do nslookup quite often, and I have the following IPFW rules > which > allow nslookup to talk to my ISP's DNS server: > > allow udp from ${my_ip} to ${dns_server} 53 > allow udp from ${dns_server} 53 to ${my_ip} > > Problem with the above rules is that people can pass IPFW if they use UDP > port > 53 with a spoofed IP that matches my ISP's DNS server. Is there a way to > fix my > problem? > > Thanks. > > -Hugh > > __________________________________________________ > Do You Yahoo!? > Yahoo! Photos -- now, 100 FREE prints! > http://photos.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message