Date: Tue, 13 Jul 2004 09:32:23 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Luke <luked@pobox.com> Cc: freebsd-questions@freebsd.org Subject: Re: Is this a safe ipfilter rule? Message-ID: <20040713063223.GA39956@orion.daedalusnetworks.priv> In-Reply-To: <Pine.NEB.4.60.0407122248190.16671@mx.freeshell.org> References: <Pine.NEB.4.60.0407122248190.16671@mx.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-07-12 23:15, Luke <luked@pobox.com> wrote:
> This is the scariest of these rules:
> pass in quick proto udp from ip.of.remote.DNS/32 port = 53 to any
Well, paranoia is ok some times. At least, as long as it doesn't stop
you from doing your work ;-)
However, given a good named setup (ACLs in named.conf that make sure no
transfers or queries allowed to anyone, except for those that really
need to ask *your* named) you shouldn't have serious problems even with
rules like these:
pass in quick proto udp from any port = 53 to any
pass in quick proto udp from any to any port = 53
pass out quick proto udp from any port = 53 to any
pass out quick proto udp from any to any port = 53
> Is this safe?
It depends on the setup of your named, I guess.
> pass out quick proto udp from my.internal.address.range to any keep state
> [...] However, I have a problem with that [...]
If stateful UDP:53 is a problem because of the load you have, you might
want to consider the following setup:
- Allow all packets to/from port 53 of your ISP's named (without
keeping state information in the firewall).
- Set up your ISP's named as a "forwarder".
Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040713063223.GA39956>