[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CNAME, iptables and qmail

This one time, at band camp, Gary MacDougall said:
> Giacomo,
> How about an example!?!
> I'm a little surprise as to why you'd point out an exploit and
> not tell people how to fix it...
> On Mon, 6 May 2002, Michal Melewski wrote:
> > Hello
> > Try to add following lines into your firewall script:
> > iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT
> > iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
> > iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT
> this opens a gaping hole: anybody can get _any_ udp traffic to any port
> through your firewall, provided it has the source port 53. Bad idea...
> What about using the statefulness of the netfilter code to first let
> queries out and then only let _answers_ back in?
> Hint: Try reading a bit more carefully the iptables man page where it
> talks about the "state" module (used by the -m state --state options).
> It is the strongest point in the 2.4.x kernels' firewalling code, as
> compared to 2.2.x kernels.

Something like:
iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 

Unless your serving DNS, in which case you want to let queries in as well.
Two wrights don't make a rong, they make an airplane.  Or bicycles.

Attachment: pgpvNCphr9RJU.pgp
Description: PGP signature

Reply to: