Peter writes: > Putting host names in your PF config files is a practice that comes with > warnings in large, friendly, red and flashing letters attached.
Ditto. DNS is weak, much weaker than your firewall rules (generally). DNSSEC helps with some of the problems, but not all, and comes with a performance penalty (besides, hardly anyone uses it). Strict conformance with the RFCs weakens you significantly. The following article is about the resolver in XP but many of the same concerns apply: http://www.phrack.org/show.php?p=62&a=3 Did you know? According to the RFCs, the DNS reply need not come from the same IP you sent it to (think multihomed hosts, wildcarded sockets *:53, and recv(2) not telling you what IP received the message). Of course this breaks pf's stateful filtering; such a response would not match the outbound state. This is a good illustration that there are tradeoffs between security and availability on occasion. > The workaround > involves setting up a local name resolution with a cache that's > persistent enough to survive reboots The TTL is controlled by the authoritative name server, though. And what about dynamic DNS? > In simple configs, that would possibly mean putting the ones you need in > /etc/hosts, And possibly setting "lookup file bind" in /etc/resolv.conf. On 2/27/06, Damien Miller <[EMAIL PROTECTED]> wrote: > On Mon, 26 Feb 2006, [EMAIL PROTECTED] wrote: > > > PF sqawcks if a hostname in any of it's files are not currently > > findable. Is there a reasonable way to have it gracefully skip missing > > hosts and carry on? > > So you firewall rules can be silently skipped during times of DNS outage > or DoS? That doesn't sound like a very good idea. Well, if it skipped only individual rules containing that hostname, and you have a "default deny" firewall policy (i.e. "block all" at top and only pass rules thereafter) then it's not such a bad idea. > A better idea is creating your rules with tables in place of DNS names, and > regularly updating the tables with the DNS names (e.g. out of cron). That is a good idea. I also have been thinking of equipping dfd_keeper with a periodic refreshing of rules (which would force periodic lookups to catch changes in dynamic DNS hosts). Perhaps I could add a feature for updating a hosts's IP via some command, avoiding the use of tables. It's unfortunate it's not as simple as looking up the IP of an interface the way (ifname) does. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
