[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Paranoid question regarding Bind
- To: misc@openbsd.org, Jacob Meuser <jakemsr@jakemsr.com>
- Subject: Re: Paranoid question regarding Bind
- From: SLaSH <slash@arbornet.org>
- Date: Thu, 01 Nov 2001 07:46:47 -0600
- References: <Pine.BSO.4.33.0110311005180.26823-100000@campus.iztacala.unam.mx> <20011031181554.661a899a.steve@velosystems.net> <20011031195527.A2784@granitesky.com>
YES!
53!
> #allow udp dns replies from @home servers
> pass in quick on fxp0 proto tcp/udp from 24.5.156.15 to a.b.c.d
port=53
> pass in quick on fxp0 proto tcp/udp from 24.5.156.17 to a.b.c.d
port=53
I do not even allow tcp on port 53 since I don't do zone transfers AND I
use the rules stateful. In other words:
pass out quick on fxp0 proto tcp/udp from a.b.c.d to 24.5.156.17 port=53
keep state
This will implicitly open the "pass in" for related packets. Now even if
your ISP would mess up you still are protected (one could of course
write a malicious bind daemon!).
Hope this helps,
/marco
----- Original Message -----
From: "Jacob Meuser" <jakemsr@jakemsr.com>
To: <misc@openbsd.org>
Sent: Wednesday, October 31, 2001 9:55 PM
Subject: Re: Paranoid question regarding Bind
On Wed, Oct 31, 2001 at 06:15:54PM -0800, Steve Wingate wrote:
> I use the built-in BIND on my 2.9 to provide internal DNS, and I have
it configured to use my ISP's DNS servers as forwarders. As such, I ONLY
need to allow my ISP's DNS servers to contact mine. I use ipf rules like
so:
>
> #allow udp dns replies from @home servers
> pass in quick on fxp0 proto tcp/udp from 24.5.156.15 to a.b.c.d
> pass in quick on fxp0 proto tcp/udp from 24.5.156.17 to a.b.c.d
>
> a.b.c.d is my public IP address. This prevents anyone else from using
my DNS server, I hope.
>
>
Shouldn't you also have some kind of 'port' setting there also?
Can't pf also do stateful udp? Yes, from pf.conf(5)
# pass out all UDP connections and keep state
pass out on $ext_if proto udp all keep state
--
<jakemsr@clipper.net>