[EMAIL PROTECTED] wrote:
> I followed your advice for DNS and firewalling but it didn't work ... i had to
> add (after the first arrow) :
>
> # Par default, interdiction de tout les services
> /sbin/ipfwadm -F -p deny
Hint: try replacing `deny' with `reject' until you get things working
correctly.
> /sbin/ipfwadm -O -p accept
> /sbin/ipfwadm -I -p accept
>
> # Vider les regles de traces
> /sbin/ipfwadm -F -f
> /sbin/ipfwadm -O -f
> /sbin/ipfwadm -I -f
>
> # Autoriser le traffic DNS sur les 2 serveurs de noms 5 et 12
> ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 195.115.167.5
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 53 -D 195.115.167.5
> ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 195.115.167.12
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 53 -D 195.115.167.12
>
> ---> you told me to set tcp too ...
> ---> but i had to add these following rules :
>
> ipfwadm -F -a accept -b -P udp -S 195.115.167.5 53 -D 0.0.0.0/0
> ipfwadm -F -a accept -b -P tcp -S 195.115.167.5 53 -D 0.0.0.0/0
> ipfwadm -F -a accept -b -P udp -S 195.115.167.12 53 -D 0.0.0.0/0
> ipfwadm -F -a accept -b -P tcp -S 195.115.167.12 53 -D 0.0.0.0/0
>
> --> Why ? -b means bi-directional, no ?
Yes.
> --> can someone tell me why ?
ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D 195.115.167.5
Is equivalent to:
ipfwadm -F -a accept -P udp -S 0.0.0.0/0 53 -D 195.115.167.5
ipfwadm -F -a accept -P udp -S 195.115.167.5 -D 0.0.0.0/0 53
And not equivalent to:
ipfwadm -F -a accept -P udp -S 0.0.0.0/0 53 -D 195.115.167.5
ipfwadm -F -a accept -P udp -S 195.115.167.5 53 -D 0.0.0.0/0
You can't guarantee that an inbound query will originate from (or need
to be sent to) port 53.
Your original rules should be sufficent for allowing you to make DNS
queries, but it won't allow others to query your DNS server unless
they use port 53.
Also, you are allowing anyone to connect to any port on your DNS
servers provided that they use port 53 as the source port.
Try the following instead:
# Allow inbound DNS queries
ipfwadm -F -a accept -b -P udp -D 195.115.167.5 53
ipfwadm -F -a accept -b -P udp -D 195.115.167.12 53
ipfwadm -F -a accept -b -P tcp -D 195.115.167.5 53
ipfwadm -F -a accept -b -P tcp -D 195.115.167.12 53
# Allow outbound DNS queries for BIND-8.*
ipfwadm -F -a accept -b -P udp -S 195.115.167.5 $PORT
ipfwadm -F -a accept -b -P udp -S 195.115.167.12 $PORT
ipfwadm -F -a accept -b -P tcp -S 195.115.167.5 $PORT
ipfwadm -F -a accept -b -P tcp -S 195.115.167.12 $PORT
The last six rules are only required if you are running BIND-8.* and
you aren't using port 53 for outbound queries (in which case you will
need to set PORT to the port which is used).
> But so far it seems ok on my 2 DNS servers ...
>
> There are still some problem with SMTP.. i will try to be clear (ugh in english
> ...)
> I tested by "telneting" 2 SMTP servers :
> mail.ic3w.com (running imailsix on NT) and .toto.com (running Sendmail v8)
>
> In the Firewaling HOWTO for SMTP to allow connections to remote SMTP server :
> ipfwadm -F -a accept -b -P tcp -S 195.115.167.5 25 -D 0.0.0.0/0 1024:65535
This is bogus. If you want to be able to make outbound SMTP
connections from .5, use:
ipfwadm -F -a accept -P tcp -S 195.115.167.5 1024:65535 -D 0/0 25
ipfwadm -F -a accept -P tcp -k -S 0/0 25 -D 195.115.167.5 1024:65535
> But did not work and tcpdump on internal interface shows :
>
> ysaha.ic3w.net.28832 > mail.pcestablishment.com.smtp:
> mail.pcestablishment.com.smtp > ysaha.ic3w.net.28832
> ^^^^^^
> ---> what is this port ?
> ---> dynamic allocated one ?
28832 is the local port from which the SMTP connection is made.
> ---> i saw some of them further (with auth)
You shouldn't block inbound ident (auth) connections using a `deny'
rule (or with a policy of deny). Use `reject' instead; otherwise your
outbound connections will hang until the inbound ident connection
times out.
> ... i set up the rule like this then :
> ipfwadm -F -a accept -b -P tcp -S 195.115.167.5 1024:65535 -D 0.0.0.0/0 25
> ---> i dont understand .28832 ?
This will allow anyone to connect to any port in the range 1024:65535
on .5 provided that they use port 25 as the source port.
If you wish to allow outbound TCP connections, you need to allow the
replies back in. However, replies will always have the ACK flag set,
whilst inbound connections won't. You can use ipfwadm's -k switch to
only match packets which have the ACK flag set (i.e. replies).
> ... it 's almost OK :
> without firewall (all rules off), the connection is immediat on both SMTP
> servers, but with the firewall, it's takes a long time to the one that running
> Sendmail. It's takes almost 30 seconds ...
> The difference when the firewall is off is 2 lines like :
>
> nnxfoo.fr.27796 > ysaha.ic3w.net.auth
> ysaha.ic3w.net.auth > nnx.foo.fr.27796
This is an inbound ident connection. When you connect to a remote
server, the server may try to connect to your ident server to find out
the username (for logging purposes). You can block these connections,
but you should use `reject' instead of `deny' (this will cause the
ident connection to fail immediately, instead of timing out).
> ---> Is there any authetification and what is this 27796 ?
27796 is the remote port from which the ident connection was made.
Ports above 1024 are usually allocated randomly to client sockets
(however, some services do run on high-numbered ports, e.g. X runs on
6000 + n, where n is the display number ).
> I had a look in /etc/services and saw "auth 113/tcp". Then i added this 2
> rules :
>
> ipfwadm -F -a accept -b -P tcp -S 0.0.0.0/0 1024:65535 -D 195.115.167.0/25 113
> ipfwadm -F -a accept -b -P tcp -S 195.115.167.0/25 113 -D 0.0.0.0/0 1024:65535
>
> .. works FAR BETTER ... is it good gurus ??
No. You've opened up significant holes in your firewall. As it stands,
anyone can make inbound connections from ports 53, 25 and 113.
You shouldn't use the remote port for controlling inbound traffic.
Someone who wants to break into your system can use whichever port
they like.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
