The IPFW Firewall Rules for a bind DNS are Confusing me.
Martin McCormick
martin at dc.cis.okstate.edu
Fri Jul 27 03:05:10 UTC 2007
I am running Freebsd6.2 and have set up bind on several name
servers. This time, I am using the "client" firewall
configuration which is closed for all ports that are not
specifically open.
I put a couple of rules in as follows and they work:
${fwcmd} add pass all from any to ${ip} 53 keep-state
${fwcmd} add pass all from ${ip} to any 53 keep-state
The problem is that they create too many dynamic rules on our
master DNS so I need a less complex rule that leaves the box
wide open both ways on port 53. When I remove the keep-state
directive, it all stops working at all or you can see squawks in
the log that the system is having trouble with zone transfers,
etc.
I am confused. Don't I only really need:
${fwcmd} add pass all from any to ${ip} 53
${fwcmd} add pass all from ${ip} to any 53
Thanks for all good suggestions.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Network Operations Group
More information about the bind-users
mailing list