Date: Wed, 14 Mar 2001 00:16:19 -0600 From: Bill Fumerola <billf@mu.org> To: Nick Rogness <nick@rogness.net> Cc: Peter Brezny <peter@black.purplecat.net>, freebsd-net@FreeBSD.ORG Subject: Re: problem with secondary dns update through ipfw firewall Message-ID: <20010314001619.O31752@elvis.mu.org> In-Reply-To: <Pine.BSF.4.21.0103131539180.11657-100000@cody.jharris.com>; from nick@rogness.net on Tue, Mar 13, 2001 at 03:47:08PM -0600 References: <Pine.BSF.4.05.10103131533440.17531-100000@black.purplecat.net> <Pine.BSF.4.21.0103131539180.11657-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 13, 2001 at 03:47:08PM -0600, Nick Rogness wrote: > > # Allow DNS traffic from internet to query your DNS (for reverse > > # lookups etc). > > $fwcmd add allow tcp from any 53 to $ns1 53 setup > > $fwcmd add allow udp from any to $ns1 53 > > $fwcmd add allow udp from $ns1 53 to any > > You are only allowing the setup of the zone transfer. You need to > allow established traffic as well (tcp port 53). > > $fwdcmd add allow tcp from any 53 to any 53 > > This isn't very secure though. You can more specific ipfw rules > that make this a little more secure. Luckily, figuring out which servers you need to allow is pretty easy, you already have a list of them. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314001619.O31752>