Simply stateless. Something along the lines of this (iptables): # SSH may be internal only or moved to a different port iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT # Enable DNS on both TCP and UDP iptables -A INPUT -m tcp -p tcp --dport 53 -j ACCEPT iptables -A INPUT -m udp -p udp --dport 53 -j ACCEPT # Allow ping iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # Allow internal network traffic iptables -A INPUT -s $internal -j ACCEPT # Set the general input policy to drop traffic. iptables -P INPUT DROP
What I'm concerned with security-wise is that if BIND has an RCE vulnerability, an unprivileged user might be able to "upload a shell" that gets executed and listens on another port. With all other ports closed, this can be prevented. It does not prevent against privilege escalation vulnerabilities though, as root can of course adjust the firewall at will. But I wouldn't consider security as "being unhackable", rather making it as hard as possible to get in. A firewall is a good starting point for that. On Thu, 2020-10-15 at 21:38 +0200, sth...@nethelp.no wrote: > > I would run a firewall even for BIND alone on a box in case the box > > gets compromised through BIND. Allowing remote access and DNS, then > > dropping everything else as the general firewall policy should be > > pretty straightforward. But with the IP on this particular BIND box > > being public, it's really like any other server on the internet. > Port > > forwarding or NAT in that case would be unnecessary. > > Do you mean a simple stateless ACL, or a stateful firewall? If you > really mean a stateful firewall: Think about the effect of DNS > queries - they are usually UDP based, and every new query is going > to create state. Read up on state table exhaustion. > > Steinar Haug, Nethelp consulting, sth...@nethelp.no -- Michael De Roover <i...@nixmagic.com> _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users