[ previous ] [ next ] [ threads ]
 
 From:  Andrew White <andywhite at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Re: [m0n0wall-commits] r397 - in branches/freebsd6: . phpconf/inc webgui
 Date:  Mon, 19 Jul 2010 09:50:13 +0100
I will add the exclusion for configured zones/delegation

I think maybe it's safer to default enable if the admin password is still
default, otherwise it has to be specifically enabled ?

I assume pfSense doesn't have this on by default, which is why it's on the
list ?

On Fri, Jul 16, 2010 at 3:19 AM, Chris Buechler <cbuechler at gmail dot com> wrote:

> On Thu, Jul 15, 2010 at 6:51 AM,  <svn at m0n0 dot ch> wrote:
> > Author: awhite
> > Date: 2010-07-15 12:51:23 +0200 (Thu, 15 Jul 2010)
> > New Revision: 397
> >
> > Modified:
> >   branches/freebsd6/CHANGELOG
> >   branches/freebsd6/phpconf/inc/services.inc
> >   branches/freebsd6/webgui/services_dnsmasq.php
> > Log:
> > make dnsmasq use --stop-dns-rebind by default to increase security and
> protect against dns rebind attacks.
> >
>
> This is a good change, though has some ramifications for how a lot of
> people use m0n0wall, it'll break a number of systems on upgrade. It
> stops responses (with private IPs) from the typical domain forwarding
> configuration, where for example you may use it for Active Directory
> or other internal name resolution. An option to disable it helps, but
> dnsmasq allows more flexible configuration options, such as excluding
> specific domains, which would be a nice option to have so you don't
> have to disable that protection entirely in such scenarios. pfSense
> automatically adds forwarded domains to the exclusion list since in
> the vast majority of cases those are going to return private IPs,
> might be a good idea to do that as it should eliminate virtually all
> breakage on upgrade while retaining the security benefits.
>
> At a minimum, I would definitely give a heads up in the release notes
> as to the effects of that change, so people know to disable it if
> it'll break their system.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>
>