OpenBSD and DNS

cj plug-discuss@lists.PLUG.phoenix.az.us
Sat, 30 Jun 2001 22:32:08 -0700 

I didn't see anything glaringly wrong, but I probably don't know what I'm
looking for either. Here's my entire ipf.rules
#########################################################
# Firewalling rules
#########################################################
# set our default policies
  block in log all
  pass out all
# accept packets coming from the internal interface
  pass in on ep1 all
  pass in on lo all
# deny any coming from outside which are illegal
# first take care of standard unroutables
  block in log quick on ep0 from 0.0.0.0/32 to any
  block in log quick on ep0 from 255.255.255.255/32 to any
  block in log quick on ep0 from 127.0.0.0/8 to any
  block in log quick on ep0 from any to 0.0.0.0/32
  block in log quick on ep0 from any to 255.255.255.255/32
  block in log quick on ep0 from any to 127.0.0.0/8
# now let's deal with the internal networks
  block in log quick on ep0 from 192.168.0.0/16 to any
  block in log quick on ep0 from 172.16.0.0/12 to any
  block in log quick on ep0 from 10.0.0.0/8 to any
  block in log quick on ep0 from any to 192.168.0.0/16
  block in log quick on ep0 from any to 172.16.0.0/12
  block in log quick on ep0 from any to 10.0.0.0/8
# allow certain classes of ICMP
  pass in quick on ep0 proto icmp all icmp-type 0
  pass in quick on ep0 proto icmp all icmp-type 3
  pass in quick on ep0 proto icmp all icmp-type 11
# allow inbound ssh and mail connections
  pass in quick on ep0 proto tcp from any to any port = 22 flags S keep
state
  pass in quick on ep0 proto tcp from any to any port = 25 flags S keep
state
# allow return packets from connections we initiated
  pass out on ep0 proto tcp all keep state
# REJECT auth connections for fast SMTP handshake
  block return-rst in on ep0 proto tcp from any to any port = 113
 # allow udp DNS replies from DNS 1 & 2
  pass in on ep0 proto udp from 24.1.240.33 port = 53 to any
  pass in on ep0 proto udp from 24.1.240.34 port = 53 to any
# allow NTP replies from 1.3.4.5
# pass in on ep0 proto udp from 1.3.4.5 port 123 to any
# Prevent outside machines from initiating TCP connections to machines
# within our network
  block in quick on ep0 proto tcp all flags S/SA
  block out quick on ep0 proto tcp all flags SA/SA
# END OF ipf.rules

and ipnat.rules:
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp $
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat= line in /etc/rc.conf to enable Network Address Translation
# map ppp0 10.0.0.0/8 -> ppp0/32 portmap tcp/udp 10000:20000
map ep0 10.0.1.0/24 -> ep0/32 portmap tcp/udp 1025:65000
#
# End of ipnat.rules

Again, thanks for your time.
CJ


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com