8/5 I've just setup a new firewall at home and I'm looking for a
tool to test it out. Any recommendations?
I'm also running a caching DNS server on the firewall and I'd
like to setup a rule that allows the server to make queries
and recieve responses but that blocks inbound queries. I can't
seem to figure out how to do this though as my ipf fu is weak.
Any suggestions? Thanks.
\_ you want it so that you can run internal dns, but not have
external machines able to query your internal dns? Can you
run 2 nameservers on your network then?
\_ Not necessary to run 2 nameservers, that's overkill. BIND
has a directive which allows you to specify which servers
are allowed to query it. I'll double-check and get back to
you.
\_ somewhat obviously, the option you want is 'allow-query'.
\_ This does not seem to be a supported BIND4 directive.
Do you know if there is an equivalent?
\_ No, there is no equivalent.
\_ The caching nameserver handles the nameservice queries for
the internal nat'ed network. The dns for the public systems
in the dmz are hanled by my isp.
In BIND8 you can tell it to bind() and listen() for connections
on selected ip's on the system system, but I'm stuck running
BIND4 which doesn't support this feature. Thus I'm trying to
figure out a ipf rule that will allow me to run caching dns
while preventing '1337 h4x0r5 from trying to exploit the
nameserver.
\_ Why are you running BIND4? There's no good reason to.
\_ Okay stuck was a bad choice of words. BIND4 for OpenBSD
has been audited while BIND8 has not. I just wanted that
extra level of protection and I wanted to avoid having
to install /usr/ports on the firewall in order to build
BIND8. Anyway it looks like I'm just going to have to
install BIND8. Thanks.
\_ Okay, let me get this straight. You're running BIND
on your firewall box. Are you INSANE?!? If you
care about having a secure nameserver, don't run
BIND. Run djbdns (Dan Bernstein's uber-paranoid
DNS server).
\_ OpenBSD BIND4 is audited. Its not the same as
stock BIND4 or BIND8. I thought about djbdns.
There are problems with the way that it does
recursive queries that break my webcache so
I can't use it.
As far as the firewall is concerned if udp 53
is open on my internal ip but closed on my
external ip, external attacks cannot exploit
any weaknesses in BIND. This is the level of
security I'm looking for. (I case this box is
hacked, I've got another with a similar image
ready to go, I can just power than one on and
switch over while the regular machine is being
reimaged from known safe media)
\_ you could try ShieldsUp! at http://grc.com
\_ The guy who runs this site is a freak! I don't know
about the quality of his programs, but I would not
want to support him.
\_ why not? sure, his site looks unprofessional, but you have to
respect someone who codes win32 apps in asm. his denial of
service story is good reading too.
\_ go to http://www.dslreports.com click on tools then port scan.
\_ Thanks, I'll try this out.
\_ May I reccomend nmapping your site from outside?
\_ I've performed a TCP connect(), SYN, FIN, Xmas, NULL, and
a UDP port scan. The only open port that was detected was
tcp 22 (SSH) and udp 53 so most of my rules appear to be
working. The bits I want to test are filter input and output
packets with invalid source and destination addresses. I'm
a nmap novice and can figure out how to do this. I suppose
I could just write a raw packet generator, but someone must
have already wrote one so I'm looking for recommendations.
Thanks. |
http://csua.com/feed/