Manuel A. McLure wrote:
> For the moment, I'm using a set of rules that block all TCP/UDP connections
> on ports 1023 and below
What is the significance of "port <= 1023"? There are a good deal of
services which run on ports > 1023 that I wouldn't want the world to
have access to.
> as well as all TCP SYN connections
The term "SYN connections" is 50% redundant. By definition, a TCP
segment with the SYN flag is always a connection, and a TCP connection
always involves a packet with the SYN flag. [PS: I'm not trying to be
pedantic, or quibble over terminology; I just feel the need to
establish this point.]
> coming from the external interface.
Depending upon how much effort you consider justified, you might want
to analyse the potential for "bounce" exploits, where an attacker uses
an internal system to forward the connection. (You go on to say that
you're using IP-masq, so this probably isn't too big an issue for
you).
> I like the idea of blocking all incoming UDP except for
> the DNS port,
Which one? 53 or named's "query-source" port?
> but since I'm using masquerading, I don't know a priori what
> port I'd need to open
If you're running a public DNS server (one which is listed in an NS
record in the global DNS hierarchy), you need to allow both UDP and
TCP (including SYN) packets to port 53 on that server.
For a private, recursive DNS server (one which local systems are
configured to use for recursive queries via. e.g. /etc/resolv.conf or
Control Panel->Network->TCP/IP->Properties->DNS Configuration), you
need to run a local DNS server, allow UDP packets to reach the port
specified by the "query-source" option in /etc/named.conf, and allow
outbound TCP connections.
To use nslookup on external DNS servers, you will have to use the
"-vc" switch or the "set vc" command (to force the use of TCP).
> I'll also be adding a rule to specifically reject all ICMP packets except
> for destination-unreachable.
Fair enough. Personally, I consider ICMP types 0, 11, 12 (echo reply,
TTL exceeded, parameter problem) to be harmless, and worth allowing
(so that I can use ping and traceroute). But allowing
destination-unreachable:fragmentation-needed (3:4) is the critical
one.
> One last question - is it better to use DENY or REJECT?
REJECT is nicer, but (with one exception) it's really a matter of
preference. The exception: Do NOT use "DENY" for "auth" (aka "ident")
connections (TCP port 113). This will most likely cause outbound
connections to hang while the server tries to perform an auth lookup
on the client.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
