Date: Wed, 20 Oct 1999 10:00:08 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: patrick@mindstep.com (Patrick Bihan-Faou) Cc: matt@BabCom.ORG (matt), freebsd-security@FreeBSD.ORG Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <199910201700.KAA02948@gndrsh.dnsmgr.net> In-Reply-To: <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com> from Patrick Bihan-Faou at "Oct 20, 1999 10:33:05 am"
next in thread | previous in thread | raw e-mail | index | archive | help
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> Hi,
>
> From: matt <matt@BabCom.ORG>
>
> > On Wed, 20 Oct 1999, Ruslan Ermilov wrote:
> > [...]
> > : Yes, src/etc/rc.firewall is incomplete, it misses two rules for incoming
> > : UDP queries.
> >
> > Well, I guess I was not *totally* wrong, which is a minor miricle.
> >
> > : # Allow access to our DNS
> > : allow tcp from any to ${oip} 53 setup # zone transfers
> > : allow udp from any to ${oip} 53 # incoming DNS queries (missing)
> > : allow udp from ${oip} 53 to any # answers to these queries (missing)
> > :
> > : # Allow DNS queries out in the world
> > : allow udp from ${oip} to any 53 # outgoing DNS queries
> > : allow udp from any 53 to ${oip} # answers to these queries
>
> Humm...
>
> As somebody mentioned earlier the last rule (allow udp from any 53 to
> ${oip}) is fairly weak. I would really love to see something along the lines
> of the TCP rules (allow tcp from any to any established) for UDP as well...
First thing to do is stop using ``any'', you should not have that many
internal nameservers that you can't explicity name them by IP address:
10539 235 10548 allow log tcp from any to any 53
40530 35051 3395489 allow udp from any to 205.238.40.1 53
40530 1608 306167 allow udp from any to 205.238.40.2 53
40530 52365 3549882 allow udp from any to 199.238.232.2 53
40530 0 0 allow udp from any to 199.238.232.3 53
40530 35250 6830449 allow udp from 205.238.40.1 53 to any
40530 1868 124384 allow udp from 205.238.40.2 53 to any
40530 51697 9134012 allow udp from 199.238.232.2 53 to any
40530 0 0 allow udp from 199.238.232.3 53 to any
You should be running bind 8 behind any firewall, and set it up
to use a src port of 53, thus allowing the above rules to just
work. All internal queries should be directed to these name
servers, and only they should talk to the internet.
--
Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910201700.KAA02948>