Hi all, I have the following problem in my firewall setup.
I want to ping and traceroute from the firewall, and I decided to allow DNS lookup from my firewall. (I use my ISP DNSs). So I added the following rule on the input chain (or more precisely on the input chain from the outside world): ipchains -A bad-if -p TCP --sport domain -j ACCEPT I'm wondering if such a rule isn't very dangerous in fact. Suppose that a port (say telnet) is open on the firewall, so that I can telnet from inside, but blocked for the outside world. Isn't it possible to hack a telnet client so that it connects FROM port 53 (domain) to my telnet port? If so, what should I do? Should I specify that I only allow packet coming from port 53 _and_ from the addresses of my ISP DNSs? Even in this case, I would have to trust these computers. Is there a really bullet-proof setup? Thanks for your time. Sincerely. Julien Stern
