Re: Help with ipfw rules to allow DNS queries through

From: X Philius (xphilius@yahoo.com)
Date: 12/27/01 

Date: Thu, 27 Dec 2001 06:20:28 -0800 (PST)
From: X Philius <xphilius@yahoo.com>
To: Ian Smith <smithi@nimnet.asn.au>

Ian and Security Wizards,
Thanks a whole heap! It looks to me that I have enough material here to
get this working. I am guessing that this broken UDP rule may have been
messing me up. I will put all these suggestions in place and post a
note next week when I have everything humming along.

Jason

--- Ian Smith <smithi@nimnet.asn.au> wrote:
> On Wed, 26 Dec 2001, X Philius wrote:
>
> > I am currently using an external DNS server via resolv.conf, you
> are
> > correct. I would think that the generic rule to allow all
> internally
> > established connections (both udp and tcp) to pass through would
> allow
> > this, even without any port specific rules. Is this not correct?
> >
> > # Allow set up of outgoing UDP connections
> > ${fwcmd} add pass udp from ${ip} to any setup
>
> There's no concept of 'setup' with UDP connections. You should find
> that ipfw (perhaps silently?) failed to add this rule, blowing away
> most
> UDP from your box, including DNS, if I'm read your ruleset rightly?
>
> Does the output of 'ipfw list' or 'ipfw show' include that UDP rule?
> 'ipfw -t show | less' is handy to see what's happening, as is tcpdump
> ..
>
> [..]
>
> > I used to have named set up on my machine, before I upgraded to
> 4.4R,
> > and I plan to set it up again. However, before I upgraded I was
> using
> > this rule set, and it did not seem to allow me to access my
> machine as
> > a name server from another machine. I am not 100% sure that I
> tested it
>
> !ipfw add 702 count udp from any to any setup
> ipfw: error: unknown argument ``setup''
> usage: ipfw [options] ...
>
> > properly though, so the general question is; should I be able to
> use
> > this ruleset if I want to use my machine as a names server, ie to
> be
> > accessed by an external client, and authoratative on a domain or
> > twelve?
>
> Sure. Assuming your NAT etc is configured right, and the Cisco
> upstream
> is playing fair, you'd be well advised to follow up Dave Raven's
> message
> re bind setup to allow internal / deny external recursion and
> transfers.
>
> Of course you'll want to allow xfers as well with outside primaries
> and
> secondaries, and may need to add ipfw rules for them. We also share
> hosting a few domains with/for friends on lil systems, and log heaps
> of
> DNS subnet scanning and such, and the occasional poisoning attempt.
>
> man named, /signals .. 'kill -usr1 `cat /var/run/named.pid`' starts
> then
> increases by 1 the level of named logging, to /var/tmp/named.run -
> using
> Bind 4 here, adapt to suit - anyway, level 3 is pretty noisy logging
> of
> all DNS activity for as much bind self-education as you've time for
> ..
>
> > As someone else mentioned, this is pretty much verbatim from
> > the default rc.firewall.
> >
> > # Allow DNS queries out and in
> > ${fwcmd} add pass tcp from any to ${ip} 53 setup
> > ${fwcmd} add pass udp from any to ${ip} 53
> > ${fwcmd} add pass udp from ${ip} 53 to any
>
> Only the comment differs from the alternatives posted :)
>
> It seems that more than DNS would be affected by a loss of outgoing
> UDP,
> if that is the case, but then you may have allowed everything else
> you
> want like quicktime and other streaming protocols (which caught my
> eye!)
>
> > Thanks much for your reply! I can't wait to get this working.
>
> tcpdump is your good mate. Here 'tcpdump -pen -i tun0 port 53' in a
> window inspires confidence when named's doing its thang.
>
> Cheers, Ian
>

__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Help with ipfw rules to allow DNS queries through
    ... There's no concept of 'setup' with UDP connections. ... UDP from your box, including DNS, if I'm read your ruleset rightly? ... Does the output of 'ipfw list' or 'ipfw show' include that UDP rule? ... > a name server from another machine. ...
    (FreeBSD-Security)
  • Re: Help with ipfw rules to allow DNS queries through
    ... You forget what DNS worked over TCP and UDP ... Monitoring IPFW Logs ... BSD Firewalls: Fine-Tuning Rulesets ...
    (FreeBSD-Security)
  • RE: DNS ACL ?
    ... > Not all DNS clients automatically try to negotiate bigger UDP ... The same goes for DNS servers. ... as a part of the response, but could not be included in its entirety. ...
    (Pen-Test)
  • Re: Some help interpreting log snipped please?
    ... >apps only, with fw set to block anything else -all protocols,even dns, ... >for each app). ... UDP Source address _can_ and usually IS faked. ... As I'm not stupid enough to be using windoze, ...
    (comp.security.firewalls)
  • Re: SMTP delivery failure when NIC DNS server points to router
    ... I learned that the router's DNS server does not listen to TCP queries. ... Configure the SMTPSVC to use UDP for DNS queries. ...
    (microsoft.public.inetserver.iis.smtp_nntp)