Bind and ipfilter

[Christopher L. Barnard]

I am experimenting with ipfilter to enable a rudimentary firewall on a
Solaris 10 server (172.31.2.250, below).  This server does *not* allow
routing, so all I am concerned with is packets coming into and out of the
server itself.

I have brought up a slave nameserver on it so that I can investigate what
ports are needed for responding to lookups and for zone transfers.  It
looks like this is what I need:

###
### For nameservers:  Allow DNS lookups from selected networks.
###
pass in quick proto udp from (my internal IP ranges) to 172.31.2.250
  port=53 keep state

###
### For nameservers:  Allow zone transfers from the master.
###
pass in quick proto tcp from (DNS master) to 172.31.2.250 ### all tcp ports
pass out quick proto tcp from 172.31.2.250 to (DNS master) ### all tcp ports

Because the zone tranfers are tcp over random high order ports, it looks
like I need to allow all tcp ports from the master.  Is there another way
to do this?  The master does have the
options { query-source address * port 53; };
btw, but connections to 172.31.2.250 for zone transfers appear to around
port number 35000 still.

+-----------------------------------------------------------------------+
| Christopher L. Barnard         O     When I was a boy I was told that |
| cbarnard at tsg.cbot.com         / \    anybody could become president.  |
| (312) 347-4901               O---O   Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard                --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+