Firewall Setup?

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Dec 30 22:22:53 UTC 2003 

> We run our own Primary & Secondary DNS servers which are behind a firewall. The
> name servers contain dns info for a few websites which are also located behind
> this firewall. Basically, we need the following:
> 
> 1. Allow the outside world to contact our dns servers for dns information for
> only the sites which our dns server is responsible for (I've also setup
> allow-query in named.conf to combat this).
> 
> 2. Also need to allow local network users (behind the firewall) to use the dns
> servers to browse the internet and send out e-mail. So, the dns servers behind
> our firewall will need to have access to go outside our network to resolve
> domains.
> 
> Incoming Traffic:
> 
> Rule #1:
>    Allow incoming  TCP  s-port=NC   d-port=53  ->  IP of NS
> 
> Rule #2:
>    Allow incoming  UDP  s-port=NC   d-port=53  ->  IP of NS
> 
> Rule #3:
>    Allow incoming  UDP  s-port=53   d-port=NC  ->  entire network
> 
> Outgoing Traffic:
> 
> Rule #4:
>    Allow outgoing  TCP  s-port=53   d-port=NC  ->  Our DNS IP
> 
> Rule #5:
>    Allow outgoing  UDP  s-port=53   d-port=NC  ->  Our DNS IP
> 
> Rule #6:
>    Allow outgoing  UDP  s-port=NC   d-port=53  ->  Internet
> 
> --------
> I'm not sure if this is what I need or if I messed it all up. I'm especially
> not clear if I need the UDP rules. The one that really scary's me is Rule #3
> which I'm not sure if I even need it but I think I need it to allow local users
> to fetch information from other dns servers but then again don't local users
> query our local dns server which queries other dns which send response back to
> local dns which sends info to local user. Did I loose you...because I'm lost
> myself! ;-)

	I would suggest that you invest in a stateful firewall if
	rule 3 worries you.

		allow tcp from any to <nameserver> port 53 keep-state in setup
		// Note: we are not keeping state on UDP queries to our server
		// or the replies to avoid DoS attacks on the firewall.
		// Order is important.
		allow udp from any to <nameserver> port 53 in
		allow udp from <nameserver> port 53 to any out
		// keep state for queries we generate
		allow tcp from any to any port 53 keep-state out setup
		allow udp from any to any port 53 keep-state out

	If you don't want to keep state on TCP then you should
	permit established connections to continue.

		// allow established connection to continue
		allow tcp from any to any established
		allow tcp from any to <nameserver> port 53 in setup
		allow udp from any to <nameserver> port 53 in
		allow udp from <nameserver> port 53 to any out
		allow tcp from any to any port 53 out setup
		// keep state for UDP queries we generate
		allow udp from any to any port 53 keep-state out

	If you want to further reduce the amount of state in the
	firewall you can force the nameserver to make its UDP queries
	using port 53 (see query-source).

		match
			allow udp from <nameserver> port 53 to any out
		rather than
			allow udp from any to any port 53 keep-state out

	You also don't need to allow replies to any port in rule 3.
	Find out which range of ports that your OSs use when assigning
	ports itself and use that range.
 
> Any help is greatly appreciated and if something is unclear, please ask and
> I'll be more than happy to clearify.
> 
> Thanks,
> 
> SW
> 
> __________________________________
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> http://companion.yahoo.com/
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list