Strict Linux/ipchains firewall and BIND
Steve Snyder
swsnyder at home.com
Thu Oct 21 15:06:34 UTC 1999
I am setting up what I hope is a strict firewall on my LAN's
Linux-based server. That is, I intend to be *very* specific in what
traffic is allowed from whom on which network ports.
The server for my small LAN runs a nameserver (BIND v8.2.1). Client
machines on the LAN query my nameserver, which (if the IP address
isn't already cached and the name is not a local machine) in turn
queries one or both of my ISP's two nameservers.
Can I cover all the bases by only allowing port 53 access from my 2
ISP nameservers and from the root nameservers? Basically I want to
keep the occurrences of input-from-any-address rules to a bare
minimum. With that in mind, please take a look at the configuration
below below and advise me if I am restricting DNS traffic somehow.
Note that the IP addresses listed on the forwarders{} statement below
are also found in /etc/resolv.conf and are thus included in the
ipchains ruleset.
This is a fragment of my /etc/named.conf:
options {
directory "/var/named/snydernet";
transfer-format many-answers;
query-source address * port 53;
allow-query { 127.0.0.1; 192.168.0/24;};
listen-on { 127.0.0.1; 192.168.0.12; };
forward first;
forwarders { 111.222.333.444; 555.666.777.888; };
};
and these are the rules I expect to use to allow DNS traffic:
# ISP nameservers
for NS in `cat /etc/resolv.conf | grep "nameserver 24." | cut -d ' ' -f 2` ; do
ipchains -A input -i $EXTRN_IFACE -p udp \
-s $NS 53 -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTRN_IFACE -p udp \
-s $IPADDR 53 -d $NS 53 -j ACCEPT
ipchains -A input -i $EXTRN_IFACE -p tcp ! -y \
-s $NS 53 -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTRN_IFACE -p tcp \
-s $IPADDR 53 -d $NS 53 -j ACCEPT
done
# root nameservers
for NS in `cat /var/named/snydernet/db.cache | grep "IN A" | cut -f 3` ; do
ipchains -A input -i $EXTRN_IFACE -p udp \
-s $NS 53 -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTRN_IFACE -p udp \
-s $IPADDR $UNPRIVPORTS -d $NS 53 -j ACCEPT
done
Any thoughts on this tentative configuration? Am I restricting DNS
traffic somehow? Is there a way to restrict packet traffic further
without compromising name resolution?
Thank you.
*** Steve Snyder ***
More information about the bind-users
mailing list