Date: Wed, 20 Oct 1999 11:13:12 -0600 From: Nate Williams <nate@mt.sri.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: patrick@mindstep.com (Patrick Bihan-Faou), matt@BabCom.ORG (matt), freebsd-security@FreeBSD.ORG Subject: DNS security using IPFW (was Re: ipfw rule wrong in rc.firewall(?)) Message-ID: <199910201713.LAA25715@mt.sri.com> In-Reply-To: <199910201700.KAA02948@gndrsh.dnsmgr.net> References: <009001bf1b08$05ad6040$190aa8c0@local.mindstep.com> <199910201700.KAA02948@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> First thing to do is stop using ``any'', you should not have that many > internal nameservers that you can't explicity name them by IP address: > > 10539 235 10548 allow log tcp from any to any 53 IMO, this rule should be *after* all of the other rules, otherwise you'll get hits for 'acceptable' use in your logs. It appears that this must be the case with the numbers, or else you've got specific rules for zone transfers that are not listed. Note, the use of TCP does not *necessarily* mean a zone transfer, since it may be the result of a large transfer that doesn't fit into a UDP packet, which can happen if you have large datasets. (The Bind FAQ deals with this in more detail.) > 40530 35051 3395489 allow udp from any to 205.238.40.1 53 > 40530 1608 306167 allow udp from any to 205.238.40.2 53 > 40530 52365 3549882 allow udp from any to 199.238.232.2 53 > 40530 0 0 allow udp from any to 199.238.232.3 53 > 40530 35250 6830449 allow udp from 205.238.40.1 53 to any > 40530 1868 124384 allow udp from 205.238.40.2 53 to any > 40530 51697 9134012 allow udp from 199.238.232.2 53 to any > 40530 0 0 allow udp from 199.238.232.3 53 to any > > You should be running bind 8 behind any firewall, and set it up > to use a src port of 53, thus allowing the above rules to just > work. By default, bind8 'binds' to port 53. owever, there is one issue when using a firewall, in that all queries and/or transfers are sent out using your external IP address, and generally speaking most 'external' addresses are assigned by your ISP. However, most of the time you want to publish the 'internal' address that your ISP assigned to your network, since you have greater control over the names/addresses. This means that zone transfers and such come from an IP/name in your ISP's namespace, which is annoying. It would be nice if bind8 allowed you to 'bind' zone transfers to a certain address, like it does with responses. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910201713.LAA25715>