Date: Mon, 1 Nov 1999 14:55:11 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: roberto@keltia.freenix.fr (Ollivier Robert) Cc: security@FreeBSD.ORG Subject: Re: hole(s) in default rc.firewall rules Message-ID: <199911012255.OAA42497@gndrsh.dnsmgr.net> In-Reply-To: <19991101232250.C39857@keltia.freenix.fr> from Ollivier Robert at "Nov 1, 1999 11:22:50 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> According to Adam Laurie:
> > blocking UDP traffic to any low port. DNS replies come in on high ports
> > (at least this is true on the half dozen or so boxes that I've
>
> Default before bind 8.2.something was to use port 53 for all answers (from
> server to server).
Actually it as all queries and answers, now it uses high numbers for queries,
answers have to come from port 53, thats the socket the query is sent to...
And most of us running post 8.2.something bind behind firewalls have configured
bind with:
query-source address 198.145.92.4 port 53;
So we can use a proper set of DNS rules, and yes, the ones shipped with FreeBSD
are seriously lacking in that they have ``any'' and they should have ${dnsserver}
as a configuration entry. Only your dnsservers need dns traffic, every place
else should be shut down nice and tight, everything internal should be talking
your your dns servers only via forwarders clauses or proper /etc/resolv.conf
settings.
--
Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911012255.OAA42497>