LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Andrew Hill <list@fornax.net>
To : Adam Hawes <adam_hawes@dingoblue.net.au>
Date: Wed, 03 Jan 2001 08:54:55 +1030
Re: Firewall Development
Adam Hawes wrote:
> What rules are required to allow DNS queries:
The following is modified (slightly) from "Building Internet Firewalls"
by D. Chapman and E. Zwicky. See below for an explaination.
------------------------------------------------------
Dir. Source Dest. Proto. S. Port D. Port Ack? Note
In Ext Int UDP >1023 53 a Incoming query via UDP,
client to server
Out Int Ext UDP 53 >1023 a Answer to incoming UDP
query, server to client
In Ext Int TCP >1023 53 b Incoming query via TCP,
client to server
Out Int Ext TCP 53 >1023 Yes Answer to incoming TCP
query, server to client
Out Int Ext UDP >1023 53 a Outgoing query via UDP,
client to server
In Ext Int UDP 53 >1023 a Answer to outgoing UDP
query, server to client
Out Int Ext TCP >1023 53 b* Outgoing query via TCP,
client to server
In Ext Int TCP 53 >1023 Yes Answer to outgoing TCP
query, server to client
In Ext Int UDP 53 53 a Query or response between
two servers via UDP
Out Int Ext UDP 53 53 a Query or response between
two servers via UDP
In Ext Int TCP >1023 53 b Query from external server
to internal server via
TCP; also zone transfer
request from external
secondary server via TCP
Out Int Ext TCP 53 >1023 Yes Answer from internal
server to external server
via TCP; also zone
transfer response to
external secondary
server via TCP
Out Int Ext TCP >1023 53 b Query from internal server
to external server via TCP
In Ext Int TCP 53 >1023 Yes Answer from external
server to internal server
via TCP
------------------------------------------------------
[a] UDP packets do not have ACK bits
[b] ACK is not set on the first packet of this type (establishing
connection) but will be set on the rest
[*] This was an "a" in the version I have (first with corrections),
but is clearly supposed to be "b"
------------------------------------------------------
I have split the table from the book into 3 parts. The top 4 entries are
what goes on when an external client wants to ask your DNS server
something. You are most likely not going to need this, as you are
probably not running a DNS server that hosts entries if you are on a
dynamic IP address :-)
The second set of 4 are what you are probably after, as that's what your
local clients will need to use to get out to talk to external DNS
servers.
Finally, the last set of 6 are for server to server communication. I
imagine that you may well be able to set up a local caching DNS server
that needs server to server communications - if so, it's probably just
the first and final 2 of that set that are required (and the last 2 are
a duplicate of two entries in the second set of 4 - it's just pointing
out that what's being done over the ports is different).
HTH.
Cheers,
--
Andrew Hill
"Right now, I'd happily snort gunk from the sink if it would take
my brain somewhere away from here...." - JB
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page