On Mon, Jan 31, 2000 at 02:35:38PM +0100, Julien Stern wrote: > So I added the following rule on the input chain (or more > precisely on the input chain from the outside world): > > ipchains -A bad-if -p TCP --sport domain -j ACCEPT > > I'm wondering if such a rule isn't very dangerous in fact. > Suppose that a port (say telnet) is open on the firewall, > so that I can telnet from inside, but blocked for the > outside world. Isn't it possible to hack a telnet client > so that it connects FROM port 53 (domain) to my telnet port?
Yes, you shoul only allow packets for a exisitng TCP connection to enter the input rule (! -y). > If so, what should I do? Should I specify that I only allow > packet coming from port 53 _and_ from the addresses of > my ISP DNSs? Even in this case, I would have to trust these > computers. Is there a really bullet-proof setup? You can also specify the query-port for bind 8, then you dont have to allow all ports for the UDP part. Greetings Bernd -- (OO) -- [EMAIL PROTECTED] -- ( .. ) [EMAIL PROTECTED],linux.de,debian.org} http://home.pages.de/~eckes/ o--o *plush* 2048/93600EFD [EMAIL PROTECTED] +497257930613 BE5-RIPE (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
