Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Aug 1999 16:55:34 -0600
From:      Nate Williams <nate@mt.sri.com>
To:        "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc:        nate@mt.sri.com (Nate Williams), freebsd-security@FreeBSD.ORG
Subject:   Re: IPFW/DNS rules
Message-ID:  <199908232255.QAA02707@mt.sri.com>
In-Reply-To: <199908232234.PAA36466@gndrsh.dnsmgr.net>
References:  <199908232108.PAA02230@mt.sri.com> <199908232234.PAA36466@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > > > > ipfw add 40539  allow log udp from any 53 to any
> > > > 
> > > > This is also insecure, in that it allows anyone to use source port 53 to
> > > > connect to *any* UDP port in your network.
...
> 
> Yes, my rules before these have large blocks of udp/tcp ports that log
> thier activity, for what you want it would be something like:
> 
> ipfw add 100 deny log tcp from any 1-52 to any
> ipfw add 100 deny log tcp from any 54-65535 to any
> ipfw add 200 deny log udp from any 1-52 to any
> ipfw add 200 deny log udp from any 54-65565 to any
> 
> And of cource, the reverse rules
> ipfw add 300 deny log tcp from any to any 1-52
> ipfw add 300 deny log tcp from any to any 54-65535
> ipfw add 400 deny log udp from any to any 1-52
> ipfw add 400 deny log udp from any to any 54-65535

Except that you're still allowing connections *from* port 53 to any UDP
service in your network, which bothers me.  (I'm doing it as well, FWIW,
although I'm limiting it to a single box.)

*sigh*

> Outsource your DNS services so that no public queries ever hit your
> master would be another way.  This is known as a hidden master DNS
> server, you simply get 2 public secondaries, list them in the SOA
> for the zone, but leave out the real master.  No one even knows to
> go look at your box, except if they break into the slaves.

Ahh, this is an idea.  This is essentially what I'm doing now, except I
didn't think to hide the master.

However, we are trying to be more and more 'independant' of the parent
company, so for now I think we'll deal with the paranoia.  Also, I don't
trust the people who are my secondaries as much to be secure.


Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908232255.QAA02707>