Archive for the ‘pf’ Category

NSD and OpenDNSSEC under FreeBSD 10 [Part 4: Firewall]

Sunday, August 31st, 2014

This is the forth part in the series of articles explaining how to run NSD and OpenDNSSEC under FreeBSD 10.

It’s just a reference for firewall freaks like me showing which ports need to be opened on each respective server.

I’m using PF on all four servers with the ‘deny all’ default rule.

NS-FEED needs to be able to send 53/udp to the signer and both slaves (to NOTIFY about zone changes). It has to accept incoming 53/tcp from the signer and both slaves (to allow zone transfers) and also it has to accept 53/udp from the signer (the signer will periodically poll the hidden master for zone changes):

  1. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.1 port = domain keep state
  2. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.2 port = domain keep state
  3. pass out quick on xl0 inet proto udp from xl0 to 10.9.128.2 port = domain keep state
  4.  
  5. pass in quick on xl0 inet proto tcp from 192.168.128.1 to xl0 port = domain flags S/SA keep state
  6. pass in quick on xl0 inet proto tcp from 192.168.128.2 to xl0 port = domain flags S/SA keep state
  7. pass in quick on xl0 inet proto tcp from 10.9.128.2 to xl0 port = domain flags S/SA keep state
  8.  
  9. pass in quick on xl0 inet proto udp from 10.9.128.2 to xl0 port = domain keep state

NS-SIGN has to be able to send 53/udp and 53/tcp to the hidden master (to request and perform zone transfer from the hidden master). It has to be able to send 53/udp to both slaves (to notify slaves about zone changes). It has to accept incoming 53/tcp from both slaves (to allow zone transfers) and also it has to accept 53/udp from the hidden master:

  1. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.1 port = domain flags S/SA modulate state
  2. pass out quick on xl0 inet proto udp from xl0 to 10.9.128.1 port = domain keep state
  3. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.1 port = domain keep state
  4. pass out quick on xl0 inet proto udp from xl0 to 192.168.128.2 port = domain keep state
  5.  
  6. pass in quick on xl0 inet proto tcp from 192.168.128.1 to xl0 port = domain flags S/SA keep state
  7. pass in quick on xl0 inet proto tcp from 192.168.128.2 to xl0 port = domain flags S/SA keep state
  8. pass in quick on xl0 inet proto tcp from 10.9.128.1 to xl0 port = domain flags S/SA keep state

NS-3 and NS-4 have to be able to send 53/tcp to the hidden master and the signer (to request zone transfers). They also have to accept incoming 53/udp and 53/tcp from anywhere to serve recursive DNS requests:

  1. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.1 port = domain flags S/SA modulate state
  2. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.2 port = domain flags S/SA modulate state
  3.  
  4. pass in quick on xl0 inet proto udp from any to 192.168.128.1 port = domain keep state
  5. pass in quick on xl0 inet proto tcp from any to 192.168.128.1 port = domain flags S/SA modulate state
  1. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.1 port = domain flags S/SA modulate state
  2. pass out quick on xl0 inet proto tcp from xl0 to 10.9.128.2 port = domain flags S/SA modulate state
  3.  
  4. pass in quick on xl0 inet proto udp from any to 192.168.128.2 port = domain keep state
  5. pass in quick on xl0 inet proto tcp from any to 192.168.128.2 port = domain flags S/SA modulate state