On Mar 27, 2013, at 11:54 AM, Owen DeLong <owen@delong.com> wrote:
It's been available in linux for a long time, just not in BIND…
Here is a working ip6tales example:
-A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -s 2620:0:930::/48 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -s 2001:470:1f00:3142::/64 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m limit --limit 30/minute --limit-burst 90 -j ACCEPT
YMMV and you may wish to provide tighter limits (less than 30 QPM or a burst of <90).
I am very concerned about examples such as this possibly being implemented by a well intentioned sysadmin or neteng type without understanding their query load and patterns. bind with the rrl patch does log when things are happening. While the data is possible to extract from iptables, IMHO it's not quite as easy to audit as a syslog. - Jared