Nicholas J. Leon wrote:
> Ok, so recently Glynn made a comment about using the -b switch in ipfwadm
> (which also applies to ipchains). So, with an open mind I reviewed my
> firewall rules.
>
> And I noticed something :). Consider this example:
>
> ipchains -A input -j ACCEPT -i ppp+ -s 0/0 domain -p udp
>
> My philosophy behind this is since udp is connectionless, I can't use the
> '! -y' notation (SYN cleared, ACK |& FIN set) to allow replies back into
> my localnet, I have to allow for the following:
>
> local machine sends DNS request via udp from a random port to port 53 on
> an outside DNS server (no firewall rules apply, I have very few output
> chain rules).
> outside DNS server sends a reply back from port 53 to
> localhost:randomport (the above rule would allow this to happen)
>
> Now, the problem I see is that suddenly, ANY udp port locally is now
> accessable as long as it originates from port 53 on the outside. This is a
> massive security hole as far as I'm concerned.
I'd agree with that statement.
> What can be done about this? Suggestions? Comments? ... Glynn? :)
You don't generally need to accept DNS replies from arbitrary servers
on arbitrary ports.
If you run named locally, then you can use the fact that named always
uses a specific port for outbound queries (port 53 for BIND-4.*,
configurable with the `query-source address' option for BIND-8.*), and
only allow inbound UDP to that port.
If you use non-local DNS servers (e.g. those of your ISPs), then you
only need to allow inbound DNS replies from those servers.
For nslookup, you can use the `vc' option to force TCP to be used.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
