Date: Mon, 27 Jul 1998 01:48:00 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: Jay Tribick <netadmin@fastnet.co.uk> Cc: security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity Message-ID: <Pine.BSF.3.96.980727013412.470A-100000@shell6.ba.best.com> In-Reply-To: <Pine.BSF.3.96.980727092023.11044J-100000@bofh.fast.net.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
No no no... What I mean is:
[takes out the bible: TCP/IP Illustrated and opens it on page 206]
DNS uses UDP for resolver queries (most of the time).
DNS used TCP for zone transfers (always).
If you don't want to allow zone transfer from that computer, don't
worry about allowing TCP as long as your DNS response will never exceed
512 bytes.
(yes I know one can also use xfrnets to stop unauthorized zone
transfers but this is ipfw talk *grin*)
-- Yan
Jan Koum jkb@best.com | "Turn up the lights; I don't want
www.FreeBSD.org -- The Power to Serve | to go home in the dark."
"Write longer sentences - they are paying us a lot of money"
On Mon, 27 Jul 1998, Jay Tribick wrote:
>
>Hi
>
>| >I'm thinking of changing one of my boxes which is running bind (performing
>| >primary secondary DNS functions) from
>| >allow-anything-except-things-specifically-denied ipfw rules to
>| >deny-everything-except-things-specifically-allowed rules (open vs closed?
>| >hehe). Anyway, I was wondering what are the minimum rules necessary to
>| >allow DNS queries/transfers from other servers to my server, and also to
>| >allow queries from my server to other servers.
>
>| >I tried a variety of rules from the rc.firewall file, but it's still
>| >blocking some traffic, so there must be something I'm missing.
>
>| Take a look at /etc/rc.firewall:
>|
>| # Allow DNS queries out in the world
>| ipfw add pass udp from any 53 to ${ip}
>| ipfw add pass udp from ${ip} to any 53
>|
>| You will need to enable same setup as above but for tcp for zone
>| transfers (someone correct me if I am wrong).
>|
>| Also take a look at FreeBSD ipfw Configuration Page:
>| http://www.metronet.com/~pgilley/freebsd/ipfw
>
>AFAIK DNS zone-transfers are handled over via 53 aswell, I can't find
>another listing for 'Domain Name Server' in /etc/services so I assume
>the above will work fine.
>
>Regards,
>
>Jay Tribick
>--
>[| Network Administrator | FastNet International | http://fast.net.uk/ |]
>[| Finger netadmin@fastnet.co.uk for contact information |]
>[| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |]
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727013412.470A-100000>