Re: Can't someone choose source port?

To: debian-firewall@lists.debian.org
Subject: Re: Can't someone choose source port?
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Tue, 1 Feb 2000 00:42:28 +0100
Message-id: <[🔎] 20000201004228.A16422@lina.inka.de>
In-reply-to: <[🔎] 20000131143538.B31323@lri.fr>; from stern@lri.fr on Mon, Jan 31, 2000 at 02:35:38PM +0100
References: <[🔎] 20000131143538.B31323@lri.fr>

On Mon, Jan 31, 2000 at 02:35:38PM +0100, Julien Stern wrote:
> So I added the following rule on the input chain (or more
> precisely on the input chain from the outside world):
> 
> ipchains -A bad-if -p TCP --sport domain -j ACCEPT
> 
> I'm wondering if such a rule isn't very dangerous in fact.
> Suppose that a port (say telnet) is open on the firewall,
> so that I can telnet from inside, but blocked for the
> outside world. Isn't it possible to hack a telnet client
> so that it connects FROM port 53 (domain) to my telnet port?

Yes, you shoul only allow packets for a exisitng TCP connection to enter
the input rule (! -y).

> If so, what should I do? Should I specify that I only allow
> packet coming from port 53 _and_ from the addresses of
> my ISP DNSs? Even in this case, I would have to trust these
> computers. Is there a really bullet-proof setup?

You can also specify the query-port for bind 8, then you dont have to allow
all ports for the UDP part.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to:

References:
- Can't someone choose source port?
  - From: Julien Stern <stern@lri.fr>

Prev by Date: Re: Can't someone choose source port?
Previous by thread: Re: Can't someone choose source port?
Index(es):
- Date
- Thread