Problems with DNS & Firewall

Problems with DNS & Firewall

Post by Bj?rn Grie » Sat, 27 Feb 1999 04:00:00



Hi everybody!

I'm just getting started in setting up my own firewall at home to get
a little more secure ;-) But this isn't so easy as I thought :-(

My biggest Problem ist the DNS traffic. Everytime I activate the
script, my whole DNS traffic is just thrown away by the packet
filtering system :-((

Has anybody a solution that would suit to my problem?

I'm using Linuxkernel 2.0.36 & the ipfwadm tool

--- CUT ---
#!/bin/sh
#
# Variabeln
FW_IP=$1
#
ipfwadm -I -p deny
ipfwadm -I -f
ipfwadm -O -p deny
ipfwadm -O -f
ipfwadm -F -p deny
ipfwadm -F -f
#
#
ipfwadm -I -a accept -W lo -S any/0
ipfwadm -O -a accept -W lo -D any/0
ipfwadm -I -a accept -W eth0 -S any/0
ipfwadm -O -a accept -W eth0 -D any/0
#
ipfwadm -I -a deny -W ippp0 -P tcp -D $FW_IP 1:1023
ipfwadm -O -a deny -W ippp0 -P tcp -S $FW_IP 1:1023
ipfwadm -I -a deny -W ippp0 -P udp -D $FW_IP 1:1023
ipfwadm -O -a deny -W ippp0 -P udp -S $FW_IP 1:1023
#
ipfwadm -I -a accept -W ippp0 -P udp -D $FW_IP domain nameserver 51  
ipfwadm -O -a accept -W ippp0 -P udp -S $FW_IP domain nameserver 51
#
ipfwadm -I -a accept -W eth0 -P tcp \
        -S 192.168.1.0/24 \
        -D 192.168.1.0/24
ipfwadm -O -a accept -W eth0 -P tcp \
        -D 192.168.1.0/24 \
        -S 192.168.1.0/24
#
# ftp
#
ipfwadm -I -a accept -k -P tcp -S any/0 ftp \
        -D $FW_IP 1024:65535
ipfwadm -O -a accept -P tcp -S $FW_IP 1024:65535 \
        -D any/0 ftp  
ipfwadm -I -a accept -P tcp -S any/0 ftp-data \
        -D $FW_IP 1024:65535
ipfwadm -O -a accept -k -P tcp -S $FW_IP 1024:65535 \
        -D any/0 ftp-data
#
# tcp ports
# - telnet www domain nameserver
#
ipfwadm -I -a accept -k -P udp \
        -S any/0 ssh \
        -D $FW_IP 1024:65535
ipfwadm -O -a accept -P udp \
        -S $FW_IP 1024:65535 \
        -D any/0 ssh
ipfwadm -I -a accept -k -P tcp \
        -S any/0 telnet www pop3 nntp smtp ssh \
        -D $FW_IP 1024:65535
ipfwadm -O -a accept -P tcp \
        -S $FW_IP 1024:65535 \
        -D any/0 telnet www pop3 nntp smtp ssh
#
# ports fr Nameserver
# - dns
#
#ipfwadm -I -a accept -k -P tcp -S 193.196.32.1 domain nameserver \
#        -D $FW_IP
#ipfwadm -O -a accept -P tcp -S $FW_IP \
#        -D 193.196.32.1 domain nameserver
ipfwadm -I -a accept -k -P udp -S any/0 domain \
        -D $FW_IP domain
ipfwadm -O -a accept -P udp -S $FW_IP domain \
        -D any/0 domain
#
#
ipfwadm -I -p accept
ipfwadm -O -p accept
#
#
ipfwadm -A in -a -W ippp0 -P tcp -D $FW_IP www
ipfwadm -A out -a -W ippp0 -P tcp -S $FW_IP www
--- CUT ---

THNX for every reply ;-)

 
 
 

Problems with DNS & Firewall

Post by Malwar » Sun, 28 Feb 1999 04:00:00


Hi Bj?rn,


> ipfwadm -I -a deny -W ippp0 -P tcp -D $FW_IP 1:1023
> ipfwadm -O -a deny -W ippp0 -P tcp -S $FW_IP 1:1023
> ipfwadm -I -a deny -W ippp0 -P udp -D $FW_IP 1:1023
> ipfwadm -O -a deny -W ippp0 -P udp -S $FW_IP 1:1023

Here you deny any packets from ports below 1024 or to traveling via
ippp0. Put these rules next to the end of your script.

Quote:> #
> ipfwadm -I -a accept -W ippp0 -P udp -D $FW_IP domain nameserver 51
> ipfwadm -O -a accept -W ippp0 -P udp -S $FW_IP domain nameserver 51

ipfawdm -I -a accept -W ippp0 -P udp -D $FW_IP $DNSPORT -S 0/0 domain
ipfawdm -O -a accept -W ippp0 -P udp -S $FW_IP $DNSPORT -D 0/0 domain
ipfawdm -I -a accept -W ippp0 -P tcp -D $FW_IP $DNSPORT -D 0/0 domain -k
ipfawdm -O -a accept -W ippp0 -P tcp -S $FW_IP $DNSPORT -D 0/0 domain

where DNSPORTS is set to the port your nameserver is using for outgoing
request. This will be 53 for bind 4.9.x but might be another port for
bind 8.x (it is configurable there). Clients from your local net then
have to use the nameserver on your firewall as "proxy".

Quote:> ipfwadm -I -a accept -k -P udp -S any/0 domain \
>         -D $FW_IP domain
> ipfwadm -O -a accept -P udp -S $FW_IP domain \
>         -D any/0 domain

Looks like a bogus trial to apply same logic as for TCP streams to UDP.
The option "-k" does make no sense with UDP. If ipfwadm does accept this
I would not be sure what it does.

Quote:> ipfwadm -A in -a -W ippp0 -P tcp -D $FW_IP www
> ipfwadm -A out -a -W ippp0 -P tcp -S $FW_IP www

What's this? ipfwadm and ipchains syntax all together.

For a server use:

ipfwadm -I -a accept -W ippp0 -P tcp -D $FW_IP www
ipfwadm -O -a accept -W ippp0 -P tcp -S $FW_IP www -k

For a www-proxy on the firewall use:

ipfwadm -I -a accept -W ippp0 -P tcp -D $FW_IP $WWWPORTS -S 0/0 www 8080
-k
ipfwadm -I -a accept -W ippp0 -P tcp -S $FW_IP $WWWPORTS -D 0/0 www 8080

Where WWWPORTS is empty or the port range the www-proxy might use (e.g.
"1024:4099").

Malware

 
 
 

Problems with DNS & Firewall

Post by Tobias Reckhard (jest » Mon, 01 Mar 1999 04:00:00




Quote:>My biggest Problem ist the DNS traffic. Everytime I activate the
>script, my whole DNS traffic is just thrown away by the packet
>filtering system :-((

I just started a more detailed reply, examining your rules, but
halfway through, they looked ok *if* only the packet filter is trying
to access the Internet. With what hosts are you having problems? Is
all DNS traffic discarded by the packet filter or just that of the
hosts behind it? I don't see any forwarding rules in your setup, so I
don't know how any of your protected machines can access the Internet
at all. Or are you using proxies on the packet filter and have a DNS
server installed on it? Please specify your problem more closely.

Tobias / jester

 
 
 

1. squid & firewall & DNS - discovered a possible gotcha

Dear everyone,

I was having a problem with Squid and DNS, both running
on a gateway machine employing an ipchains firewall.
Others have asked this question before - Squid keeps
returning a "host not found - DNS lookup failure" sorta
response to the browser.

As a matter of fact, the OS is a SuSE 6.4 - that doesn't
seem to be an important factor with this particular gotcha.

I tried searching the newsgroups, but failed to find any
helpful responses (maybe largely due to the recent
gooooogle's "rescue" of DejaNews) and had to try to solve
the issue on my own.

At a certain moment I've found out that if I flush the
IP chains (`ipchains -F`), Squid starts to work.
So I tried some tricks with tcpdump and DENY rules logging
and I've come to the conclusion, that Squid is sending
UDP-based DNS queries to the local nameserver (127.0.0.1:53)
and the server is even sending responses, that fail to reach
squid. The strange thing was that the source address of the
queries (and the destination of the responses) was the machine's
public IP address - 193.85.x.x . Thus, the firewall's
anti-spoofing rules were busting the responses.

I've tracked the problem down to the "tcp_outgoing_address"
and "udp_outgoing_address" entries in squid.conf.
If you leave these unset (commented-out with `#'), Squid
doesn't bind its client connections' local sockets to
any particular address - in other words, for the source
address it uses the IP address of the network interface
used for that particular destination.

Even if the DNS daemon runs on a different host (not on the
local host under squid and firewall), if you force squid to
use one particular address, you may get it wrong or you
may later forget you'd ever set it.
Try dropping the firewall and using TCPdump to see what's
going on.

Frank Rysanek

==================== Aus dem Browser ====================

While trying to retrieve the URL: http://www.suse.de/
The following error was encountered:
Unable to determine IP address from host name for www.suse.de

The dnsserver returned:
No DNS records

This means that:
The cache was not able to resolve the hostname presented in the URL.
Check if the address is correct.

2. @Home and Linux

3. DNS & Firewall

4. Routing

5. How to email & DNS behind a firewall?

6. Error Message in X (what does it mean?)

7. DNS Server & Firewall

8. Berkley (POSIX) sockets (recv and send)

9. firewall rules startup & DNS

10. DNS, BIND v8 & Firewalls

11. FreeBSD & DNS in front of firewall

12. Solaris as news/dns/mail server & firewall?

13. DNS & Firewall