Date: Mon, 27 Jul 1998 02:22:25 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: sthaug@nethelp.no Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity Message-ID: <Pine.BSF.3.96.980727021508.4055A-100000@shell6.ba.best.com> In-Reply-To: <25685.901530296@verdi.nethelp.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 27 Jul 1998 sthaug@nethelp.no wrote:
>> Take a look at /etc/rc.firewall:
>>
>> # Allow DNS queries out in the world
>> ipfw add pass udp from any 53 to ${ip}
>> ipfw add pass udp from ${ip} to any 53
>>
>> You will need to enable same setup as above but for tcp for zone
>> transfers (someone correct me if I am wrong).
>
>Unfortunately, it's not quite that simple:
>
Hmm.. You sure? Not according to Stevens and my tcpdump:
>- You can't know the source port in zone transfers initiated from your
>own name server. It won't be 53 - remember that zone transfers are
>performed by a separate program (named-xfer).
This is from running "host -l some.host" in the other xterm:
02:15:05.598279 nfr.2509 > 209.157.102.11.domain: S
3408638927:3408638927(0) win 16384 <mss 1460,nop,wscale0,nop,nop,timestamp
[|tcp]> (DF)
02:15:05.636200 209.157.102.11.domain > nfr.2509: S
3345473533:3345473533(0) ack 3408638928 win 17280 <mss 1460,nop,wscale0,nop,
nop,timestamp[|tcp]> (DF)
02:15:05.636284 nfr.2509 > 209.157.102.11.domain: . ack 1 win 17280 <nop,nop,
timestamp 350014 9418322,nop,nop,[|tcp]> (DF)
02:15:05.636391 nfr.2509 > 209.157.102.11.domain: P 1:3(2) ack 1 win 17280
<nop,nop,timestamp 350014 9418322,nop,nop,eol,[|tcp]> (DF)
02:15:05.789950 209.157.102.11.domain > nfr.2509: . ack 3 win 17280
<nop,nop,timestamp 9418322 350014,nop,nop,[|tcp]> (DF)
02:15:05.790049 nfr.2509 > 209.157.102.11.domain: P 3:31(28) ack 1 win
17280 <nop,nop,timestamp 350014 9418322,nop,nop,[|tcp]> (DF)
02:15:05.920407 209.157.102.11.domain > nfr.2509: P 1:717(716) ack 31 win
[snip]
It is going from my host, nfr to the nameserver, 209.157.192.11,
destination port 53 using tcp.
Replies are coming back from 209.157.192.11, port 53 using tcp
back to me. I don't see how this is "won't be 53" -- am I missing
something in this picture?
>
>- If you use BIND 8, the source port for queries initiated by the name
>server itself will *not* be 53 unless you explicitly say so.
>
>Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Source port for queries will be greater then 1024 (e.g.: port 2509
above). Destination port for queries will be DNS server, which runs on
port 53. Are we talking about two different things here? :)
-- yan
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980727021508.4055A-100000>