Is this a safe ipfilter rule?
Giorgos Keramidas
keramida at ceid.upatras.gr
Mon Jul 12 23:30:14 PDT 2004
On 2004-07-12 23:15, Luke <luked at pobox.com> wrote:
> This is the scariest of these rules:
> pass in quick proto udp from ip.of.remote.DNS/32 port = 53 to any
Well, paranoia is ok some times. At least, as long as it doesn't stop
you from doing your work ;-)
However, given a good named setup (ACLs in named.conf that make sure no
transfers or queries allowed to anyone, except for those that really
need to ask *your* named) you shouldn't have serious problems even with
rules like these:
pass in quick proto udp from any port = 53 to any
pass in quick proto udp from any to any port = 53
pass out quick proto udp from any port = 53 to any
pass out quick proto udp from any to any port = 53
> Is this safe?
It depends on the setup of your named, I guess.
> pass out quick proto udp from my.internal.address.range to any keep state
> [...] However, I have a problem with that [...]
If stateful UDP:53 is a problem because of the load you have, you might
want to consider the following setup:
- Allow all packets to/from port 53 of your ISP's named (without
keeping state information in the firewall).
- Set up your ISP's named as a "forwarder".
Giorgos
More information about the freebsd-questions
mailing list