I am experimenting with ipfilter to enable a rudimentary firewall on a
Solaris 10 server (172.31.2.250, below). This server does *not* allow
routing, so all I am concerned with is packets coming into and out of the
server itself.

I have brought up a slave nameserver on it so that I can investigate what
ports are needed for responding to lookups and for zone transfers. It
looks like this is what I need:

###
### For nameservers: Allow DNS lookups from selected networks.
###
pass in quick proto udp from (my internal IP ranges) to 172.31.2.250
port=53 keep state

###
### For nameservers: Allow zone transfers from the master.
###
pass in quick proto tcp from (DNS master) to 172.31.2.250 ### all tcp ports
pass out quick proto tcp from 172.31.2.250 to (DNS master) ### all tcp ports

Because the zone tranfers are tcp over random high order ports, it looks
like I need to allow all tcp ports from the master. Is there another way
to do this? The master does have the
options { query-source address * port 53; };
btw, but connections to 172.31.2.250 for zone transfers appear to around
port number 35000 still.

+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+