I'm using some rules like the following to allow unrestricted udp traffic across my firewall between my system and a set of specific ports on specific domain name servers. This is the scariest of these rules:

pass in quick proto udp from ip.of.remote.DNS/32 port = 53 to any

Is this safe?

According to everything I've read, it's best to have a stateful firewall. The examples I've seen do something like:

pass out quick proto udp from my.internal.address.range to any keep state

DNS queries match this rule and add an entry to the state table so that the local machine can get the reply back from the DNS without requiring any "pass in" rules.

However, I have a problem with that. I believe (and I'm gathering proof right now) that I'm running some heavy-duty filesharing applications that are causing ipfilter's state table to fill up. When this happens, I believe DNS queries choke if stateful rules are used. "named" goes into a frenzy of logging "sysquery: no addrs found for root NS (H.ROOT-SERVERS.NET)" and proceeds to run the alphabet on the ROOT-SERVERS-NET failing on all of them several times per second, presumably because the state table is full. /var/log/messages quickly grows to huge sizes, and a denial-of-service situation occurs.

I may be wrong about some of this. It's a theory I'm trying to prove to explain why named goes crazy when my system is under the stress of heavy filesharing.

So, to keep named happy and prove my theory one way or the other, I'd like to pass all DNS traffic through the firewall without making entries in the state table. I'm trying to accomplish this by setting up rules that are as specific as I can be about exactly which IP addresses and ports I want to allow free udp communication with, but is this safe? How difficult would it be for someone to forge packets that could get past this rule, and if they did, what damage could they do with udp?
[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to