[CLUE-Tech] More firewalling questions...

Jeremiah Stanley miah at miah.org
Fri Feb 16 13:36:08 MST 2001 

> Any port -----A? some.host.com ---> port 53
> same port <---- A 192.168.100.1 --- port 53

I think I understand this now. Verify my thoughts for me though. I can
request DNS information from any port (unprivileged) to port 53, then the
host on the other end has to take that info on any port from my port
53? Correct?

> According to the Stevens book, DNS should default to UDP, only using
> TCP if the packets are large. 

Damn that! It make this sooo much harder... ;)

> Here is what you're doing:             

Thanks for the rundown here, this helps alot...

>     ipchains -A output -i $EXTERNAL_INTERFACE -p udp  \
>              -s $IPADDR $UNPRIVPORTS \
>              -d $ANYWHERE 53 -j ACCEPT
> Accept packets coming from your machine to another DNS server.

Would switching it to look like this do the trick then?

	ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
		-s $IPADDR 53 \
		-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

All I really did was switch the ports on the source (-s) and destination
(-d) addresses. Translating this ipchains statement into english I would
get: In udp on eth0, from my ip port 53 it is OK to send packets to
anybody on anyport. Is that the correct way to read that?

> Accept the return packets as long as they aren't trying to start a new
> TCP connection ( !-y means no SYN packets, (I understand why you did
> that now))

I couldn't find that in any of the documentation that I've been reading (I
may have found a niche for documentation here...). Thanks for the
clarification on what that does.

> However, you have not done anything to allow requests going to your
> machine if it is a DNS server.

It was unclear to me what I was doing with this bit of ipchains script. I
think I have some idea of how to fix it now.

> Do you have a default policy of DENY for both input and output chains?
> Personally I just deny input chains, as I'm never entirely sure what
> programs I may use in the future. 

That would be find security wise for me, but this is more of a self paced
learning exercise that I am torturing myself through. I am going with the
motto 'after attrition, clarity returns' so that I understand this enough
to feel comfortable putting it on my resume.

Thanks for the explainations!
Jeremiah Stanley
-- 
What this country needs is a good five cent nickel.

More information about the clue-tech mailing list