Hi All,
I have the Resolver server in open and need to use IPFW rules for security of the server. First I configured the following rules to open 53 for DNS queries -
For incoming queries:
For Recursive
But the default kernel limit for dynamic rules is 256 (default of net.inet.ip.fw.dyn_buckets in /etc/sysctl.conf). When I activated resolver with dynamic rules, as the DNS query sources cross a certain limit, collision occurs and the connection to the server also has gone down. Resolver also stopped working as both the way it was using dynamic rules for port 53.
If we configure the Resolver with the following static rules, everything should work –
For recursive queries:
For Incoming DNS queries:
Please let me know if there is a limit for static rules too. I could not find anything related to this in google.
Thanks & Regards,
Manju
I have the Resolver server in open and need to use IPFW rules for security of the server. First I configured the following rules to open 53 for DNS queries -
For incoming queries:
Code:
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
For Recursive
Code:
allow udp from any to <Resolver external VIP> dst-port 53 keep-state
But the default kernel limit for dynamic rules is 256 (default of net.inet.ip.fw.dyn_buckets in /etc/sysctl.conf). When I activated resolver with dynamic rules, as the DNS query sources cross a certain limit, collision occurs and the connection to the server also has gone down. Resolver also stopped working as both the way it was using dynamic rules for port 53.
If we configure the Resolver with the following static rules, everything should work –
For recursive queries:
Code:
allow udp from me to any dst-port 53
allow udp from any 53 to me
For Incoming DNS queries:
Code:
allow udp from any to <Resolver external VIP > dst-port 53
allow udp from <Resolver external VIP> 53 to any
Please let me know if there is a limit for static rules too. I could not find anything related to this in google.
Thanks & Regards,
Manju