Maintained by: NLnet Labs

[Unbound-users] wrong outgoing-port-permit port range handling?

Beastie
Sun Aug 3 08:31:41 CEST 2008


Hello.

My system is FreeBSD 7.0-RELEASE-p3 and I'm runing Unbound 1.0.1 +
libevent-1.3e installed from ports.
System firewall is configured to use dynamic firewall rules.

---

IPFW configuration:
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
add check-state
add deny icmp from any to any frag
add allow icmp from any to me icmptypes 0,3,11
add allow icmp from me to any out keep-state
add allow tcp from me to any out keep-state
add allow udp from me to any out keep-state
add deny tcp from any to any
add deny udp from any to any
add deny ip from any to any

---

unbound.conf
server:
       verbosity: 0
       #statistics-interval: 3600
       num-threads: 4
       interface: 0.0.0.0
       port: 53
       outgoing-range: 256
       outgoing-port-permit: 32768-65000
       msg-cache-size: 32m
       msg-cache-slabs: 4
       num-queries-per-thread: 1024
       rrset-cache-size: 64m
       rrset-cache-slabs: 4
       cache-max-ttl: 86400
       infra-host-ttl: 900
       infra-lame-ttl: 900
       infra-cache-slabs: 4
       infra-cache-numhosts: 10000
       infra-cache-lame-size: 10k
       do-ip4: yes
       do-ip6: no
       do-udp: yes
       do-tcp: yes
       do-daemonize: yes

       access-control: 0.0.0.0/0 refuse
       access-control: 10.1.1.0/24 allow
       access-control: 192.168.15.0/24 allow
       access-control: 127.0.0.0/8 allow
       access-control: ::0/0 refuse
       access-control: ::1 allow
       access-control: ::ffff:127.0.0.1 allow

       chroot: "/usr/local/etc/unbound"
       username: "unbound"
       directory: "/usr/local/etc/unbound"
       logfile: "/usr/local/etc/unbound/unbound.log"
       #logfile: ""
       use-syslog: no
       pidfile: "/usr/local/etc/unbound/unbound.pid"
       root-hints: "/usr/local/etc/unbound/named.cache"

       identity: "a"
       version: "1"
       hide-identity: yes
       hide-version: yes
       harden-glue: yes
       do-not-query-address: 127.0.0.1/8
       do-not-query-address: ::1
       do-not-query-localhost: yes
       module-config: "iterator"

---

>From the ipfw -d show output I can see that Unbound is actualy using
source UDP port nubers that is outside from the defined
outgoing-port-permit range:

01300     1      40 (4s) STATE udp 11.112.44.xxx 19405 <-> 195.59.44.134 53
01300     1      75 (4s) STATE udp 11.112.44.xxx 12506 <-> 63.209.3.131 53
01300     1     326 (3s) STATE udp 11.112.44.xxx 36161 <-> 66.218.71.63 53
01300     1      40 (4s) STATE udp 11.112.44.xxx 33033 <-> 124.211.40.3 53
01300     1      75 (4s) STATE udp 11.112.44.xxx 27274 <-> 63.209.3.132 53
01300     1      40 (4s) STATE udp 11.112.44.xxx 24709 <-> 63.209.3.132 53
01300     1      40 (4s) STATE udp 11.112.44.xxx 39301 <-> 63.209.3.131 53
01300     1      92 (4s) STATE udp 11.112.44.xxx 63155 <-> 195.59.44.134 53
01300     1      75 (4s) STATE udp 11.112.44.xxx 29005 <-> 81.52.250.132 53
01300     1     545 (3s) STATE udp 11.112.44.xxx 65480 <-> 192.26.92.30 53
01300     1     335 (3s) STATE udp 11.112.44.xxx 42386 <-> 192.52.178.30 53
01300     1     328 (3s) STATE udp 11.112.44.xxx 32650 <-> 192.35.51.30 53
01300     1     333 (3s) STATE udp 11.112.44.xxx 15798 <-> 192.33.14.30 53
01300     1      77 (4s) STATE udp 11.112.44.xxx 60832 <-> 124.211.40.3 53
01300     1      40 (4s) STATE udp 11.112.44.xxx 21815 <-> 195.59.44.134 53
01300     1      75 (4s) STATE udp 11.112.44.xxx 23089 <-> 195.59.44.134 53
01300     1      40 (3s) STATE udp 11.112.44.xxx 4915 <-> 81.52.250.132 53


Is it becouse of problems with my unbound.conf ?
Thanks!