Date: Wed, 4 Jun 1997 09:08:38 +1000 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Harlan Stenn <Harlan.Stenn@pfcs.com> Cc: hackers@FreeBSD.ORG Subject: Re: Improvements to rc.firewall? Message-ID: <Pine.BSF.3.91.970604090420.9382C-100000@panda.hilink.com.au> In-Reply-To: <27736.865360072@mumps.pfcs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Jun 1997, Harlan Stenn wrote: > H> I checked this out by doing a tcpdump of my ppp link, and looked at > H> all of the DNS traffic. Responses to my queries came in to *my* port > H> 53. > > dOc> Are you running your own named locally? That would be why. > > Yes, I am. Thanks for the explanation. > > Perhaps we should explain that of somebody wants a working firewall > they'll have to run a local (caching or forwarding only, even) > nameserver, too. It depends on how "working" a firewall you need. If you don't run a local nameserver, you can simply deny all udp packets arriving with src port 53 which don't come from the name server defined in /etc/resolv.conf. If you want to run your own caching named, add a forwarder and the word 'slave' to your /etc/named.boot, and only allow udp src port 53 from your forwarder. If you run your own named, and you don't run it as a slave, you *must* accept udp packets with src port 53 and dst port 53 from anyone with ipfw. The alternative is to use ipfilter with 'keep state'. /* Daniel O'Callaghan */ /* HiLink Internet <http://www.hilink.com.au/>; danny@hilink.com.au */ /* FreeBSD - works hard, plays hard... danny@freebsd.org */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970604090420.9382C-100000>