Date: Tue, 10 May 2005 08:40:08 -0500 From: "Fafa Hafiz Krantz" <fteg@london.com> To: "Jan Grant" <Jan.Grant@bristol.ac.uk> Cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... Message-ID: <20050510134009.6EFB54BEAF@ws1-1.us4.outblaze.com>
next in thread | raw e-mail | index | archive | help
> The rules I suggested are so that external machines can talk to your DNS
> server (querying about the domain it is authoritative for), and so that
> responses can get back to those machines.
>=20
> Your nameserver, however, may also be trying to get requests out. When
> it does this, by default, it will use a random source-port. By
> specifying
>=20
> options {
> query-source address * port 53;
> }
>=20
> in your named.conf, your nameserver will _also_ use port 53 as the
> source port on any requests _that it originates_. (That's the
> distinction). If you do this, then you won't need port 53 mentioned in
> your other "keep state" rule.
>=20
> I suspect that this might actually be the cause of your transient FTP
> concern; you should try modifying your nameserver config before you go
> any further.
Great :) Thanks man, I'll try that.
Isn't this something that ought to be in every named.conf?
What ports do it go to by default?
> (This assumes that your resolv.conf is configured to use the local
> machine as a nameserver in the first instance. If that is not the case,
> then you will still need the port 53 clause in your "DNS and NTP"
> section, because other programs will use random ports in an attempt to
> get DNS queries out into the wild.)
No, my resolv.conf contains my ISP's nameservers.
> Your ruleset looks pretty simple, to be honest.
I've heard many experts say 'your ruleset looks like shit',
maybe because they're jealous of my nice headers ;)
Ok, so now my named.conf's option looks like this:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
query-source address * port 53;
};
Should I specify where to log to?
Because it doesn't log.
> I'm afraid that where the specifics of PF are concerned, I know nothing:
> the advice I've given you is just generic firewall stuff :-/ It looks to
> me like your PF config is set up to use some kind of FTP proxy running
> on localhost:8021. On the other hand, I could be barking up the wrong
> tree completely; I've pretty much run out of useful things to say about
> this config.
Well you do seem to me like a jack of all trades.
Have a wonderful day! :)
--
Fafa Hafiz Krantz
Research Designer @ http://www.home.no/barbershop
Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf
--=20
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050510134009.6EFB54BEAF>