Date: Thu, 10 Jul 2008 01:06:25 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Tim Clewlow <tim@clewlow.org> Cc: freebsd-security@freebsd.org, Oliver Fromme <olli@lurza.secnetix.de> Subject: Re: BIND update? Message-ID: <20080710010119.K5394@odysseus.silby.com> In-Reply-To: <53413.192.168.1.10.1215667980.squirrel@192.168.1.100> References: <C4990135.1A0907%astorms@ncircle.com> <200807091054.m69As4eH065391@lurza.secnetix.de> <200807091209.m69C9Gsl030319@lava.sentex.ca> <20080709233650.B3813@odysseus.silby.com> <53413.192.168.1.10.1215667980.squirrel@192.168.1.100>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Jul 2008, Tim Clewlow wrote: > Assuming this is NOT a gateway, ie a single homed DNS. nat on $ext_if proto udp from any to any port 53 -> ($ext_if) That's the rule that works for me. You don't need to worry about tcp because tcp is protected by its 32 bit initial sequence number. If someone wants to go propose this fix on bugtraq, please don't mention my name. I don't want to get dragged into it. :) -Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080710010119.K5394>