The IPFW Firewall Rules for a bind DNS are Confusing me.
Mark Andrews
Mark_Andrews at isc.org
Fri Jul 27 04:44:55 UTC 2007
> I am running Freebsd6.2 and have set up bind on several name
> servers. This time, I am using the "client" firewall
> configuration which is closed for all ports that are not
> specifically open.
>
> I put a couple of rules in as follows and they work:
>
> ${fwcmd} add pass all from any to ${ip} 53 keep-state
> ${fwcmd} add pass all from ${ip} to any 53 keep-state
>
> The problem is that they create too many dynamic rules on our
> master DNS so I need a less complex rule that leaves the box
> wide open both ways on port 53. When I remove the keep-state
> directive, it all stops working at all or you can see squawks in
> the log that the system is having trouble with zone transfers,
> etc.
>
> I am confused. Don't I only really need:
No. You need to allow the reply traffic.
Traffic from outside
> ${fwcmd} add pass all from any to ${ip} 53
${fwcmd} add pass all from ${ip} 53 to any // allow reply traffic
Traffic you generate
> ${fwcmd} add pass all from ${ip} to any 53
${fwcmd} add pass all from any 53 to ${ip} // allow reply traffic
Note I would lock down the query source port and
add it to "${ip}" -> "${ip} port" or use use keep-state and drop
the second rule. If you use query-source port 53 you
can get away with just the first two rules.
> Thanks for all good suggestions.
>
>
> Martin McCormick WB5AGZ Stillwater, OK
> Systems Engineer
> OSU Information Technology Department Network Operations Group
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list