IPFW & uid bind
besen-wesen at gmx.net
besen-wesen at gmx.net
Tue Jun 1 07:02:44 PDT 2004
Hello,
my firewall's security policy is supposed to allow outgoing connections to
port 53 (DNS) only from 'named' on localhost. Normally IPFW should be able
to do that just fine, since named runs as user and group 'bind' and IPFW can
handle local packets based on uid's or gid's.
Everything else works just fine. One can reduce the problem to this easily
verifiable rule:
# ipfw add 300 count log ip from any to any uid bind
Named indeed does run as bind:
box# ps x -U bind
PID TT STAT TIME COMMAND
108 ?? Is 0:01.07 /usr/sbin/named -u bind -g bind
But IPFW does neither count nor log anything when doing DNS lookups:
# nslookup www.xyz.com
Instead filtering based on uid 'root' does work and produces a lot of
occurences:
# ipfw add 300 count log ip from any to any uid root
So what's the matter with 'bind' and IPFW?
Regards,
Besen-Wesen
--
+++ Jetzt WLAN-Router für alle DSL-Einsteiger und Wechsler +++
GMX DSL-Powertarife zudem 3 Monate gratis* http://www.gmx.net/dsl
More information about the freebsd-bugs
mailing list