Date: Wed, 14 Mar 2001 00:16:19 -0600 From: Bill Fumerola <billf@mu.org> To: Nick Rogness <nick@rogness.net> Cc: Peter Brezny <peter@black.purplecat.net>, freebsd-net@FreeBSD.ORG Subject: Re: problem with secondary dns update through ipfw firewall Message-ID: <20010314001619.O31752@elvis.mu.org> In-Reply-To: <Pine.BSF.4.21.0103131539180.11657-100000@cody.jharris.com>; from nick@rogness.net on Tue, Mar 13, 2001 at 03:47:08PM -0600 References: <Pine.BSF.4.05.10103131533440.17531-100000@black.purplecat.net> <Pine.BSF.4.21.0103131539180.11657-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 13, 2001 at 03:47:08PM -0600, Nick Rogness wrote:
> > # Allow DNS traffic from internet to query your DNS (for reverse
> > # lookups etc).
> > $fwcmd add allow tcp from any 53 to $ns1 53 setup
> > $fwcmd add allow udp from any to $ns1 53
> > $fwcmd add allow udp from $ns1 53 to any
>
> You are only allowing the setup of the zone transfer. You need to
> allow established traffic as well (tcp port 53).
>
> $fwdcmd add allow tcp from any 53 to any 53
>
> This isn't very secure though. You can more specific ipfw rules
> that make this a little more secure.
Luckily, figuring out which servers you need to allow is pretty easy,
you already have a list of them.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314001619.O31752>