[CLUE-Tech] More firewalling questions...
Brandon N
bneill at yahoo.com
Fri Feb 16 10:03:36 MST 2001
well, from watching my traffic, here is what I can tell
client machine Bind Server
Any port -----A? some.host.com ---> port 53
same port <---- A 192.168.100.1 --- port 53
According to the Stevens book, DNS should default to UDP, only using
TCP if the packets are large.
Here is what you're doing:
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 53 -j ACCEPT
Accept packets coming from your machine to another DNS server.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
Accept the return packets from DNS Server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 53 -j ACCEPT
Accept packets coming from your machine to another DNS Server (TCP)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
Accept the return packets as long as they aren't trying to start a new
TCP connection ( !-y means no SYN packets, (I understand why you did
that now))
However, you have not done anything to allow requests going to your
machine if it is a DNS server.
Do you have a default policy of DENY for both input and output chains?
Personally I just deny input chains, as I'm never entirely sure what
programs I may use in the future.
Brandon
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
Received: from laptop.linux-ha.org (usw-dsl-225.102.denco.rmi.net [166.93.225.102])
by clue.denver.co.us (8.9.3/8.9.3) with ESMTP id JAA23544
for <clue-tech at clue.denver.co.us>; Fri, 16 Feb 2001 09:37:41 -0700
Received: from unix.sh (localhost [127.0.0.1])
by laptop.linux-ha.org (Postfix on SuSE Linux 7.0 (i386)) with ESMTP
id E458017150; Fri, 16 Feb 2001 06:40:27 -0700 (MST)
Message-ID: <3A8D2DCB.B3817B96 at unix.sh>
Date: Fri, 16 Feb 2001 06:40:27 -0700
From: Alan Robertson <alanr at unix.sh>
Organization: Linux-HA
X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.16 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: lug at lug.boulder.co.us
Cc: "clue-tech at clue.denver.co.us" <clue-tech at clue.denver.co.us>
References: <3A8C083D.C44E8FCB at americanisp.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: [CLUE-Tech] Re: [lug] What tweaks are done to kernels by distributors
Sender: clue-tech-admin at clue.denver.co.us
Errors-To: clue-tech-admin at clue.denver.co.us
X-BeenThere: clue-tech at clue.denver.co.us
X-Mailman-Version: 2.0beta2
Precedence: bulk
Reply-To: clue-tech at clue.denver.co.us
List-Id: CLUE technical discussions, questions and answers. <clue-tech.clue.denver.co.us>
B O'Fallon wrote:
>
> In general, what tweaks do Linux distributors do to the kernel before
> releasing it in their versions of Linux? I understand that Red Hat
> does some, but do the other distributors do also? If they do tweak
> them, what kind of tweaks are done --- I couldn't find anything about
> this at the RH site.
>
> I ask this because I want to upgrade my RH 7.0 kernel to 2.2.18, which
> RH has not released under their own version. (I do not want to go to
> 2.4 right now).
>
> I was thinking of using the version available from kernel.org, but am
> wondering what kind of problems that this might cause since it is not
> RH "tweaked".
>
Red Hat and SuSE both put in about a hundred kernel patches apiece. Each
one does different things. SuSE adds features like ReiserFS, bug fixes and
lots of other enterprise features. Red Hat does similar things.
-- Alan Robertson
alanr at unix.sh
More information about the clue-tech
mailing list