Date: Thu, 27 Dec 2001 19:38:44 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: X Philius <xphilius@yahoo.com> Cc: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>, security@FreeBSD.ORG, Dave Raven <dave@kill-9.za.net> Subject: Re: Help with ipfw rules to allow DNS queries through Message-ID: <Pine.BSF.3.96.1011227181920.6650A-100000@gaia.nimnet.asn.au> In-Reply-To: <20011227014709.9820.qmail@web11806.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Dec 2001, X Philius wrote:
> I am currently using an external DNS server via resolv.conf, you are
> correct. I would think that the generic rule to allow all internally
> established connections (both udp and tcp) to pass through would allow
> this, even without any port specific rules. Is this not correct?
>
> # Allow set up of outgoing UDP connections
> ${fwcmd} add pass udp from ${ip} to any setup
There's no concept of 'setup' with UDP connections. You should find
that ipfw (perhaps silently?) failed to add this rule, blowing away most
UDP from your box, including DNS, if I'm read your ruleset rightly?
Does the output of 'ipfw list' or 'ipfw show' include that UDP rule?
'ipfw -t show | less' is handy to see what's happening, as is tcpdump ..
[..]
> I used to have named set up on my machine, before I upgraded to 4.4R,
> and I plan to set it up again. However, before I upgraded I was using
> this rule set, and it did not seem to allow me to access my machine as
> a name server from another machine. I am not 100% sure that I tested it
!ipfw add 702 count udp from any to any setup
ipfw: error: unknown argument ``setup''
usage: ipfw [options] ...
> properly though, so the general question is; should I be able to use
> this ruleset if I want to use my machine as a names server, ie to be
> accessed by an external client, and authoratative on a domain or
> twelve?
Sure. Assuming your NAT etc is configured right, and the Cisco upstream
is playing fair, you'd be well advised to follow up Dave Raven's message
re bind setup to allow internal / deny external recursion and transfers.
Of course you'll want to allow xfers as well with outside primaries and
secondaries, and may need to add ipfw rules for them. We also share
hosting a few domains with/for friends on lil systems, and log heaps of
DNS subnet scanning and such, and the occasional poisoning attempt.
man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts then
increases by 1 the level of named logging, to /var/tmp/named.run - using
Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging of
all DNS activity for as much bind self-education as you've time for ..
> As someone else mentioned, this is pretty much verbatim from
> the default rc.firewall.
>
> # Allow DNS queries out and in
> ${fwcmd} add pass tcp from any to ${ip} 53 setup
> ${fwcmd} add pass udp from any to ${ip} 53
> ${fwcmd} add pass udp from ${ip} 53 to any
Only the comment differs from the alternatives posted :)
It seems that more than DNS would be affected by a loss of outgoing UDP,
if that is the case, but then you may have allowed everything else you
want like quicktime and other streaming protocols (which caught my eye!)
> Thanks much for your reply! I can't wait to get this working.
tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a
window inspires confidence when named's doing its thang.
Cheers, Ian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1011227181920.6650A-100000>