Manuel A. McLure wrote:
> OK, got that. With that configuration I'd have to figure out what ports are
> being used by servers and block those specifically, right?
It is preferable to deny everything except that which you specifically
wish to receive. If you don't need to accept either inbound TCP
connections or UDP packets other than DNS replies, then you should be
able to get away with as little as:
# flush the input rules
ipchains -F input
# accept IP fragments
ipchains -A input -j ACCEPT -f
# accept ICMP destination unreachable errors (so that TCP works)
ipchains -A input -j ACCEPT -p ICMP -s 0/0 destination-unreachable
# accept TCP replies (but not inbound connections)
ipchains -A input -j ACCEPT -p TCP ! -y
# accept DNS replies
ipchains -A input -j ACCEPT -p UDP -d 0/0 $NAMED
# reject (and log) everything else (do not use DENY)
ipchains -A input -j REJECT -l
Here, $NAMED is the port which named uses for querying other
nameservers. This is set with e.g.
options {
query-source address * port 54;
};
in /etc/named.conf. If you don't set it, the port will be effectively
random, which is undesirable from a firewalling viewpoint. Note that
nslookup won't work on remote DNS servers unless you use the "-vc"
switch or the "set vc" command.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
