Date: Tue, 8 Jan 2002 17:30:14 -0800 (PST) From: X Philius <xphilius@yahoo.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>, security@FreeBSD.ORG, Dave Raven <dave@kill-9.za.net> Subject: Re: Help with ipfw rules to allow DNS queries through Message-ID: <20020109013014.57371.qmail@web11807.mail.yahoo.com> In-Reply-To: <Pine.BSF.3.96.1011227181920.6650A-100000@gaia.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Guys,
So, I've read through all the great advice from this list, and cooked
up something that works quite well, but I still have a mystery. I hope
this is not to off topic, the thread is veering away from security a
bit. I would post to questions@bsd.org but we are getting a bit deep,
and I honestly don't know if it my ipfw rule set that is messing me up,
NAT or my named.conf.
I have set up named, and I am attempting to verify that my nameserver
is available outside my machine, so that I can set up an arrangement
with a friend to trade secondaries. I have been attempting to use
nslookup, and dig, from another machine on a different ISP. Both
nslookup and dig time out, and nothing in particular shows up in the
log via my final logging rule, #999. I get the same behavior with the
default "open" ruleset as with mine, so in truth I do not think ipfw is
the problem. So, here are my questions, and the current bahavior:
Question 1: Is there another way I can verify that my DNS server is
accessible externally, and available to be authoratative on a domain?
Naturally making the change at Veri$ign/Network Solutions and getting
my friend involved and set up as a secondary, when I am not sure if it
will work or not, is a bit of a pain.
Q 2: My IT buddy at work thinks that requests from clients like
nslookup and dig use a different port, or something odd like that,
prehaps ICMP, he's not sure. Our companies servers *are* authoratative
on domains, and also exhibit this behavior, they cannot be accessed
from another machine via dig or nslookup, even though the machines can
ping one another. So, perhaps it doesn't matter. Certainly is a nice
way to troubleshoot and find out quicky how you DNS server is behaving.
Q 3: Is there any reason I should enhance this ruleset with stateful
rules, or is the "setup" keyword sufficient to prevent any shenanigins?
Q 4: Any other suggestions?
Current conditions and behavior:
Server 1: My machine
Server 2: My friends box, on another ISP, subnet etc.
- I cannot access Server 1 from Server 2 via nslookup or dig
- My machine is behind NAT via a Cisco router. As far as I know it is
running wide open, with a direct pass through from my dedicated
internal IP to my dedicated external IP.
- I have named running, as a master, and I have specified it in my
resolve.conf, ie 127.0.0.1.
- I can get name resolution internally, via nslookup, dig, lynx, apache
etc. Seems fully functional named from the inside.
- I can ping between the two machines in both directions.
- If I specify the ever reliable ns1.cicso.com via nslookup and dig,
while on server 2, I can get an answer, so there is no problem with
Server 2's setup, network access, firewall etc., or the commands I am
issuing to dig and nslookup.
- I get the same behavior with my custom rule set and with the default
"open" rule set. So, I do *not* actually think that the ipfw ruleset is
the problem.
- If I run tcpdump -en host {Server 2 host} I get this output while
attempting to make a request for yahoo.com via nslookup from Server 2 I
can see the request coming in via port 53, and an attempt to reply to
Server 2 going out via port 53.
- All the services specified with a comment, are really running. You
can take my word about the wierd stuff, it all works. I just did not
post a complete list of services in my initial question to keep things
clearer ;-)
- here is the output of ipfw list:
00100 allow ip from any to any via lo0
00150 allow ip from any to any via xl0 <<-- I added this one
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00500 allow tcp from any to any established
00501 allow ip from any to any frag
00502 allow tcp from any to 10.1.3.2 25 setup
00503 allow tcp from any to 10.1.3.2 22 setup
00504 allow tcp from any to 10.1.3.2 80 setup
00505 allow tcp from any to 10.1.3.2 21 setup
00506 allow tcp from any to 10.1.3.2 110 setup
00507 allow tcp from any to 10.1.3.2 554 setup
00508 allow tcp from any to 10.1.3.2 7070 setup
00509 allow tcp from any to 10.1.3.2 8008 setup
00510 allow tcp from any to 10.1.3.2 8009 setup
00511 allow tcp from any to 10.1.3.2 7007 setup
00512 allow tcp from any to 10.1.3.2 7008 setup
00513 allow tcp from any to 10.1.3.2 53 setup
00514 allow udp from any to 10.1.3.2 53
00515 allow udp from 10.1.3.2 53 to any
00516 allow tcp from 205.173.176.10 53 to 10.1.3.2 setup
00517 allow udp from 205.173.176.10 53 to 10.1.3.2
00518 allow udp from 10.1.3.2 to any
00519 allow tcp from 10.1.3.2 to any setup
00520 allow icmp from any to any
00999 deny log ip from any to any
65535 deny ip from any to any
- here is my ruleset:
############
# Rule set built by jason last edited 2/1/01
# I do not exactly know what I am doing ;-)
############
# set these to your network and netmask and ip
net="10.1.3.0"
mask="255.255.255.0"
ip="10.1.3.2"
# Allow TCP through if setup succeeded
${fwcmd} add 500 pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add 501 pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add 502 pass tcp from any to ${ip} 25 setup
# Allow incoming SSH requests
${fwcmd} add 503 pass tcp from any to ${ip} 22 setup
# Allow incoming HTTP requests
${fwcmd} add 504 pass tcp from any to ${ip} 80 setup
# Allow incoming FTP requests
${fwcmd} add 505 pass tcp from any to ${ip} 21 setup
# Allow incoming POP requests
${fwcmd} add 506 pass tcp from any to ${ip} 110 setup
# Allow incoming Darwin requests (also uses port 80)
${fwcmd} add 507 pass tcp from any to ${ip} 554 setup
${fwcmd} add 508 pass tcp from any to ${ip} 7070 setup
# Allow incoming Shoutcast requests
${fwcmd} add 509 pass tcp from any to ${ip} 8008 setup
${fwcmd} add 510 pass tcp from any to ${ip} 8009 setup
${fwcmd} add 511 pass tcp from any to ${ip} 7007 setup
${fwcmd} add 512 pass tcp from any to ${ip} 7008 setup
# Allow DNS queries out and in when I am using 127.0.0.1
${fwcmd} add 513 pass tcp from any to ${ip} 53 setup
${fwcmd} add 514 pass udp from any to ${ip} 53
${fwcmd} add 515 pass udp from ${ip} 53 to any
# Allow my DNS server in and out when not using 127.0.0.1
${fwcmd} add 516 pass tcp from xxx.xxx.xxx.xx 53 to ${ip} setup
${fwcmd} add 517 pass udp from xxx.xxx.xxx.xx 53 to ${ip}
# Allow outgoing UDP
${fwcmd} add 518 pass udp from ${ip} to any
# Allow setup of outgoing TCP connections
${fwcmd} add 519 pass tcp from ${ip} to any setup
# Allow ICMP out and in
${fwcmd} add 520 pass icmp from any to any
# Disallow setup of all other IP connections
${fwcmd} add 999 deny log ip from any to any
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;
So, my knowledgable fellow geeks, any ideas? Thanks much in advance, I
think I'm close here.
Jason
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020109013014.57371.qmail>