Hi NN,
On Wed, 29 Aug 2018 11:57:15 +0200 NN wrote:
>
> here is my pf.conf on VM#1:
>
> int_if="{ vether0 re0 }"
> set block-policy drop
> set log interface egress
> set skip on lo0
> match in all scrub (no-df random-id max-mss 1440)
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> pass out quick inet pass in on $int_if inet
> pass in on egress inet proto { tcp, udp } from any to (egress) port 53
> rdr-to 192.168.50.2
Yuck.
Block everything:-
block in all
block in log on $ext_if
block return in on $int_if
block return out
Then only open up what is needed, e.g:
pass out on $ext_if inet proto {udp, tcp} \
from $ext_if port > 1023 \
to any port domain \
user {_nsd, _unbound}
pass in on $int_if inet proto {udp, tcp} \
from $int_if:network port > 1023 \
to $int_if port domain \
user root \
modulate state
Define your Unbound server in your DHCP daemon configuration.
>
> *P.S: unbound.conf is here ...*
>
> server:
> # interface: 188.192.103.156
No no no no No No NO NO NO *NO* *NO* _NO_!!!!
NEVER run a recursive resolver on the Internet!!!
"Overview
A Domain Name Server (DNS) amplification attack is a popular form of
distributed denial of service (DDoS) that relies on the use of
publically accessible open DNS servers to overwhelm a victim system
with DNS response traffic.
...."
https://www.us-cert.gov/ncas/alerts/TA13-088A
Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7
