From owner-freebsd-security Mon Nov 1 14:55:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 2D7D814DC4 for ; Mon, 1 Nov 1999 14:55:32 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id OAA42497; Mon, 1 Nov 1999 14:55:11 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911012255.OAA42497@gndrsh.dnsmgr.net> Subject: Re: hole(s) in default rc.firewall rules In-Reply-To: <19991101232250.C39857@keltia.freenix.fr> from Ollivier Robert at "Nov 1, 1999 11:22:50 pm" To: roberto@keltia.freenix.fr (Ollivier Robert) Date: Mon, 1 Nov 1999 14:55:11 -0800 (PST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > According to Adam Laurie: > > blocking UDP traffic to any low port. DNS replies come in on high ports > > (at least this is true on the half dozen or so boxes that I've > > Default before bind 8.2.something was to use port 53 for all answers (from > server to server). Actually it as all queries and answers, now it uses high numbers for queries, answers have to come from port 53, thats the socket the query is sent to... And most of us running post 8.2.something bind behind firewalls have configured bind with: query-source address 198.145.92.4 port 53; So we can use a proper set of DNS rules, and yes, the ones shipped with FreeBSD are seriously lacking in that they have ``any'' and they should have ${dnsserver} as a configuration entry. Only your dnsservers need dns traffic, every place else should be shut down nice and tight, everything internal should be talking your your dns servers only via forwarders clauses or proper /etc/resolv.conf settings. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message