Firewalling DNS jails
Jeremie Le Hen
jeremie at le-hen.org
Sat Feb 17 18:52:08 UTC 2007
Hi there,
I have two jails with named(8) running on my server.
- The first one (dns_int) is used as a resolver for my local network,
and also serve the zone adressing it.
- The second one (dns_ext) is used to serve my zones on the Internet
side.
I want to know if the following rules are secure enough and if there
can be tightened regarding the DNS protocol and the policy I've set up.
=== 8< === 8< === 8< ===
pass in inet proto { tcp, udp } from $local_net to $dns_int domain keep state
pass out inet proto { tcp, udp } from $dns_int to any domain keep state
pass in inet proto { tcp, udp } from any to $dns_ext domain keep state
pass out inet proto { tcp, udp } from $dns_int to !$local_net domain keep state
=== 8< === 8< === 8< ===
Thank you.
PS: If you know about problems using the same nameserver for resolving
and serving my internal zone, please let me know as well.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list