The IPFW Firewall Rules for a bind DNS are Confusing me.

Mark Andrews Mark_Andrews at
Fri Jul 27 04:44:55 UTC 2007

> I am running Freebsd6.2 and have set up bind on several name
> servers. This time, I am using the "client" firewall
> configuration which is closed for all ports that are not
> specifically open.
> 	I put a couple of rules in as follows and they work:
> 	${fwcmd} add pass all from any to ${ip} 53 keep-state
> 	${fwcmd} add pass all from ${ip} to any 53 keep-state
> The problem is that they create too many dynamic rules on our
> master DNS so I need a less complex rule that leaves the box
> wide open both ways on port 53. When I remove the keep-state
> directive, it all stops working at all or you can see squawks in
> the log that the system is having trouble with zone transfers,
> etc.
> 	I am confused. Don't I only really need:

	No. You need to allow the reply traffic.
	Traffic from outside

> 	${fwcmd} add pass all from any to ${ip} 53
 	${fwcmd} add pass all from ${ip} 53 to any  // allow reply traffic

	Traffic you generate

> 	${fwcmd} add pass all from ${ip} to any 53
 	${fwcmd} add pass all from any 53 to ${ip} // allow reply traffic

	Note I would lock down the query source port and
	add it to "${ip}" -> "${ip} port" or use use keep-state and drop
	the second rule.  If you use query-source port 53 you
	can get away with just the first two rules.
> 	Thanks for all good suggestions.
> Martin McCormick WB5AGZ  Stillwater, OK 
> Systems Engineer
> OSU Information Technology Department Network Operations Group
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list