Firewall Setup?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Tue Dec 30 22:22:53 UTC 2003
> We run our own Primary & Secondary DNS servers which are behind a firewall. The
> name servers contain dns info for a few websites which are also located behind
> this firewall. Basically, we need the following:
>
> 1. Allow the outside world to contact our dns servers for dns information for
> only the sites which our dns server is responsible for (I've also setup
> allow-query in named.conf to combat this).
>
> 2. Also need to allow local network users (behind the firewall) to use the dns
> servers to browse the internet and send out e-mail. So, the dns servers behind
> our firewall will need to have access to go outside our network to resolve
> domains.
>
> Incoming Traffic:
>
> Rule #1:
> Allow incoming TCP s-port=NC d-port=53 -> IP of NS
>
> Rule #2:
> Allow incoming UDP s-port=NC d-port=53 -> IP of NS
>
> Rule #3:
> Allow incoming UDP s-port=53 d-port=NC -> entire network
>
> Outgoing Traffic:
>
> Rule #4:
> Allow outgoing TCP s-port=53 d-port=NC -> Our DNS IP
>
> Rule #5:
> Allow outgoing UDP s-port=53 d-port=NC -> Our DNS IP
>
> Rule #6:
> Allow outgoing UDP s-port=NC d-port=53 -> Internet
>
> --------
> I'm not sure if this is what I need or if I messed it all up. I'm especially
> not clear if I need the UDP rules. The one that really scary's me is Rule #3
> which I'm not sure if I even need it but I think I need it to allow local users
> to fetch information from other dns servers but then again don't local users
> query our local dns server which queries other dns which send response back to
> local dns which sends info to local user. Did I loose you...because I'm lost
> myself! ;-)
I would suggest that you invest in a stateful firewall if
rule 3 worries you.
allow tcp from any to <nameserver> port 53 keep-state in setup
// Note: we are not keeping state on UDP queries to our server
// or the replies to avoid DoS attacks on the firewall.
// Order is important.
allow udp from any to <nameserver> port 53 in
allow udp from <nameserver> port 53 to any out
// keep state for queries we generate
allow tcp from any to any port 53 keep-state out setup
allow udp from any to any port 53 keep-state out
If you don't want to keep state on TCP then you should
permit established connections to continue.
// allow established connection to continue
allow tcp from any to any established
allow tcp from any to <nameserver> port 53 in setup
allow udp from any to <nameserver> port 53 in
allow udp from <nameserver> port 53 to any out
allow tcp from any to any port 53 out setup
// keep state for UDP queries we generate
allow udp from any to any port 53 keep-state out
If you want to further reduce the amount of state in the
firewall you can force the nameserver to make its UDP queries
using port 53 (see query-source).
match
allow udp from <nameserver> port 53 to any out
rather than
allow udp from any to any port 53 keep-state out
You also don't need to allow replies to any port in rule 3.
Find out which range of ports that your OSs use when assigning
ports itself and use that range.
> Any help is greatly appreciated and if something is unclear, please ask and
> I'll be more than happy to clearify.
>
> Thanks,
>
> SW
>
> __________________________________
> Do you Yahoo!?
> Free Pop-Up Blocker - Get it now
> http://companion.yahoo.com/
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list