Hello FreeBSD fellows. I have an authoritative nameserver (PowerDNS) server running as: ns1.mydomain.com, hosting the DNS records of my domains, and communicating with my secondary/slave nameserver, for DNS record changes&updates.
I've implemented PF, however I'm not really sure if I managed to do it completely correct, so to be sure if these are correctly implemented rules for a DNS server, before I move it completely public, I'd like to ask your opinions on my rules.
Any feedback on these all?
Thank you!
I've implemented PF, however I'm not really sure if I managed to do it completely correct, so to be sure if these are correctly implemented rules for a DNS server, before I move it completely public, I'd like to ask your opinions on my rules.
Any feedback on these all?
Bash:
ext_if="re0"
int_services = "{22, www, https}"
out_services = "{ntp, www, https}"
icmp_types = "{ echoreq, unreach, timex }"
icmp6_types = "{ echoreq, unreach, timex, toobig, paramprob, neighbrsol }"
table <whitelist> persist file "/var/pf/whitelist.txt"
set limit { states 200000, frags 200000, src-nodes 100000, table-entries 350000 }
set loginterface $ext_if
set skip on lo
scrub in on $ext_if all fragment reassemble
antispoof quick for $ext_if
block in all
block in quick from no-route to any
block in quick from urpf-failed to any
block proto udp
pass quick inet proto icmp icmp-type $icmp_types
pass quick proto ipv6-icmp from any to any
# Whitelist
pass quick from <whitelist> to any flags any
pass in quick on $ext_if proto tcp to any port $int_services flags S/SA synproxy state
pass out quick on $ext_if proto { tcp udp } to any port $out_services
# DNS Inbound/Outbound
pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if) port 53
pass out quick on $ext_if proto { tcp, udp } to any port 53
#Tracert
pass out quick on $ext_if inet proto udp from any to any port 33433 >< 33626
Thank you!