[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Paranoid question regarding Bind

To: misc@openbsd.org
Subject: Re: Paranoid question regarding Bind
From: Rémi Guyomarch <rguyom@pobox.com>
Date: Thu, 1 Nov 2001 09:27:35 +0100
Content-Disposition: inline
References: <Pine.BSO.4.33.0110311005180.26823-100000@campus.iztacala.unam.mx> <20011031181554.661a899a.steve@velosystems.net> <20011031195527.A2784@granitesky.com>
User-Agent: Mutt/1.2.5i

On Wed, Oct 31, 2001 at 07:55:27PM -0800, Jacob Meuser wrote:
> On Wed, Oct 31, 2001 at 06:15:54PM -0800, Steve Wingate wrote:
> > I use the built-in BIND on my 2.9 to provide internal DNS, and I have it configured to use my ISP's DNS servers as forwarders. As such, I ONLY need to allow my ISP's DNS servers to contact mine. I use ipf rules like so:
> > 
> > #allow udp dns replies from @home servers
> > pass in quick on fxp0 proto tcp/udp from 24.5.156.15 to a.b.c.d
> > pass in quick on fxp0 proto tcp/udp from 24.5.156.17 to a.b.c.d
> > 
> > a.b.c.d is my public IP address. This prevents anyone else from using my DNS server, I hope. 
> > 
> >
> Shouldn't you also have some kind of 'port' setting there also?
> 
> Can't pf also do stateful udp?  Yes, from pf.conf(5)
> 
>   # pass out all UDP connections and keep state
>   pass out on $ext_if proto udp all keep state

Sure, but remember that UDP is state-less by nature. PF can't know if
an UDP packet sent by A to B two seconds after B sent one to A is a
reply to the first one or something completely different.
Still, it's better than nothing.

-- 
Rémi

Prev by Date: RE: kernel programming
Next by Date: Re: pbr
Prev by thread: RE: kernel programming
Next by thread: Re: Paranoid question regarding Bind
Index(es):
- Date
- Thread