|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IPFW rules for DNS?
From: Mike Tancsa (mike
sentex.net)Date: Mon Jun 12 2000 - 20:42:05 CDT
- Next message: Terje Elde: "Re: PGPnet"
- Previous message: Hugh Ho: "IPFW rules for DNS?"
- In reply to: Hugh Ho: "IPFW rules for DNS?"
- Next in thread: Adam Laurie: "Re: IPFW rules for DNS?"
- Reply: Mike Tancsa: "Re: IPFW rules for DNS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 06:42 PM 6/12/2000 -0700, Hugh Ho wrote:
>I need to do nslookup quite often, and I have the following IPFW rules which
>allow nslookup to talk to my ISP's DNS server:
>
> allow udp from ${my_ip} to ${dns_server} 53
> allow udp from ${dns_server} 53 to ${my_ip}
>
>Problem with the above rules is that people can pass IPFW if they use UDP port
>53 with a spoofed IP that matches my ISP's DNS server. Is there a way to
>fix my
>problem?
Sadly no. However, your ISP should be at least blocking spoofed addresses
from the outside world from coming in to their network. But that does not
of course prevent other users from inside from doing so. Make sure bind is
running in its own sandbox in case you are not doing so already.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administration, mikesentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Terje Elde: "Re: PGPnet"
- Previous message: Hugh Ho: "IPFW rules for DNS?"
- In reply to: Hugh Ho: "IPFW rules for DNS?"
- Next in thread: Adam Laurie: "Re: IPFW rules for DNS?"
- Reply: Mike Tancsa: "Re: IPFW rules for DNS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]