[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CNAME, iptables and qmail

On Mon, 6 May 2002, Michal Melewski wrote:

> Hello
> Try to add following lines into your firewall script:
> iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT
> iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
> iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT

this opens a gaping hole: anybody can get _any_ udp traffic to any port
through your firewall, provided it has the source port 53. Bad idea...
What about using the statefulness of the netfilter code to first let
queries out and then only let _answers_ back in?

Hint: Try reading a bit more carefully the iptables man page where it
talks about the "state" module (used by the -m state --state options).
It is the strongest point in the 2.4.x kernels' firewalling code, as
compared to 2.2.x kernels.



Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>

Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 248     Fax : +39 070 71180 222

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: