I am experimenting with ipfilter to enable a rudimentary firewall on a
Solaris 10 server (, below). This server does *not* allow
routing, so all I am concerned with is packets coming into and out of the
server itself.

I have brought up a slave nameserver on it so that I can investigate what
ports are needed for responding to lookups and for zone transfers. It
looks like this is what I need:

### For nameservers: Allow DNS lookups from selected networks.
pass in quick proto udp from (my internal IP ranges) to
port=53 keep state

### For nameservers: Allow zone transfers from the master.
pass in quick proto tcp from (DNS master) to ### all tcp ports
pass out quick proto tcp from to (DNS master) ### all tcp ports

Because the zone tranfers are tcp over random high order ports, it looks
like I need to allow all tcp ports from the master. Is there another way
to do this? The master does have the
options { query-source address * port 53; };
btw, but connections to for zone transfers appear to around
port number 35000 still.

| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+