Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Feb 2007 19:53:05 +0100
From:      Jeremie Le Hen <jeremie@le-hen.org>
To:        freebsd-net@FreeBSD.org
Subject:   Firewalling DNS jails
Message-ID:  <20070217185305.GA22946@obiwan.tataz.chchile.org>

next in thread | raw e-mail | index | archive | help
Hi there,

I have two jails with named(8) running on my server.
- The first one (dns_int) is used as a resolver for my local network,
  and also serve the zone adressing it.
- The second one (dns_ext) is used to serve my zones on the Internet
  side.

I want to know if the following rules are secure enough and if there
can be tightened regarding the DNS protocol and the policy I've set up.

=== 8< ===  8< === 8< ===
pass in inet proto { tcp, udp } from $local_net to $dns_int domain keep state
pass out inet proto { tcp, udp } from $dns_int to any domain keep state

pass in inet proto { tcp, udp } from any to $dns_ext domain keep state
pass out inet proto { tcp, udp } from $dns_int to !$local_net domain keep state
=== 8< ===  8< === 8< ===

Thank you.

PS: If you know about problems using the same nameserver for resolving
and serving my internal zone, please let me know as well.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070217185305.GA22946>