From owner-freebsd-net@FreeBSD.ORG  Sat Feb 17 18:52:08 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id ACE7F16A401
	for <freebsd-net@FreeBSD.org>; Sat, 17 Feb 2007 18:52:08 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from smtp2-g19.free.fr (smtp2-g19.free.fr [212.27.42.28])
	by mx1.freebsd.org (Postfix) with ESMTP id 6DD1013C47E
	for <freebsd-net@FreeBSD.org>; Sat, 17 Feb 2007 18:52:08 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98])
	by smtp2-g19.free.fr (Postfix) with ESMTP id 59F057D67
	for <freebsd-net@FreeBSD.org>; Sat, 17 Feb 2007 19:52:07 +0100 (CET)
Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25])
	by tatooine.tataz.chchile.org (Postfix) with ESMTP id D74DB9D41F
	for <freebsd-net@FreeBSD.org>; Sat, 17 Feb 2007 18:53:05 +0000 (UTC)
Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000)
	id B76E2405D; Sat, 17 Feb 2007 19:53:05 +0100 (CET)
Date: Sat, 17 Feb 2007 19:53:05 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: freebsd-net@FreeBSD.org
Message-ID: <20070217185305.GA22946@obiwan.tataz.chchile.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: 
Subject: Firewalling DNS jails
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Feb 2007 18:52:08 -0000

Hi there,

I have two jails with named(8) running on my server.
- The first one (dns_int) is used as a resolver for my local network,
  and also serve the zone adressing it.
- The second one (dns_ext) is used to serve my zones on the Internet
  side.

I want to know if the following rules are secure enough and if there
can be tightened regarding the DNS protocol and the policy I've set up.

=== 8< ===  8< === 8< ===
pass in inet proto { tcp, udp } from $local_net to $dns_int domain keep state
pass out inet proto { tcp, udp } from $dns_int to any domain keep state

pass in inet proto { tcp, udp } from any to $dns_ext domain keep state
pass out inet proto { tcp, udp } from $dns_int to !$local_net domain keep state
=== 8< ===  8< === 8< ===

Thank you.

PS: If you know about problems using the same nameserver for resolving
and serving my internal zone, please let me know as well.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >