Date: Sat, 30 Sep 2000 23:54:00 +0200 (CEST) From: Janko van Roosmalen <janko@compuserve.com> To: MG_Tak <mgtak@beancrock.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: DNS behind a ipfw firewall Message-ID: <Pine.BSF.4.10.10009302320080.1257-100000@parmenides.utp.net> In-Reply-To: <Pine.BSF.4.21.0009301610030.13966-100000@baked.beancrock.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On page 543 and 544 of "Building Internet Firewalls" is a table with all
the possibilities of UPD and TCP ports for DNS queries and responses.
It also has the info how to setup an internal and external DNS server. You
do not want everybody to be able to know how your internal LAN is
structured and give them machine names they can try to attack.
A system administrator cannot live without a book like this.
You will also need the DNS bible "DNS and BIND". DNS is tricky to setup
and if done wrongly can cause a lot of unnecessary DNS traffic on the
internet.
Also make sure you run the latest version with patchlevel 5 IIRC. Previous
versions had some serious security problems.
References:
"Building Internet Firewalls" by Zwicky, Cooper and Chapman (2nd edition
June 2000) and "DNS and BIND" by Albitz and Liu. Both books published by
O'Reilly (www.oreilly.com).
===Janko van Roosmalen - Vught - Netherlands===
On Sat, 30 Sep 2000, MG_Tak wrote:
> Greetings,
>
> From what I read on www.freebsd.org, this question doesn't
> belong on the ipfw mailing list, so I'm sending it here.
>
> I'm running a FreeBSD 4.1 machine with ipfw. It works fine for
> every TCP and outgoing UDP connections, but for some reason, I can't get
> it to work for incoming DNS connections. I do need that beacuse my
> machine is the name server for my domain.
>
> I have:
>
> ${fwcmd} add pass udp from any 53 to ${ip}
> ${fwcmd} add pass udp from ${ip} to any 53
>
> in my /etc/rc.firewall, and this effectively allows me to send
> out DNS requests to the internet, and get responses for them, but it
> doesn't allow the rest of the internet to spontaneously query my name
> server.
>
> I think my problem comes from not understanding how DNS
> transactions work.
>
> I have searched many web-sites for answers, but have yet to find
> any that was helpful enough.
>
> Thanks for your time, and help,
>
> ----------------------------------
>
> MG_Tak
> beancrock.net system administrator
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10009302320080.1257-100000>