This one time, at band camp, Gary MacDougall said: > Giacomo, > > How about an example!?! > > I'm a little surprise as to why you'd point out an exploit and > not tell people how to fix it... > > On Mon, 6 May 2002, Michal Melewski wrote: > > > Hello > > Try to add following lines into your firewall script: > > iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT > > iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP > > iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT > > this opens a gaping hole: anybody can get _any_ udp traffic to any port > through your firewall, provided it has the source port 53. Bad idea... > What about using the statefulness of the netfilter code to first let > queries out and then only let _answers_ back in? > > Hint: Try reading a bit more carefully the iptables man page where it > talks about the "state" module (used by the -m state --state options). > It is the strongest point in the 2.4.x kernels' firewalling code, as > compared to 2.2.x kernels. Something like: iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Unless your serving DNS, in which case you want to let queries in as well. HTH, Steve -- Two wrights don't make a rong, they make an airplane. Or bicycles.
Description: PGP signature