[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: CNAME, iptables and qmail

Giacomo,

How about an example!?!

I'm a little surprise as to why you'd point out an exploit and
not tell people how to fix it...

Thanks,
Gary

-----Original Message-----
From: Giacomo Mulas [mailto:gmulas@ca.astro.it]
Sent: Tuesday, May 07, 2002 3:48 AM
To: Michal Melewski
Cc: debian-security@lists.debian.org
Subject: Re: CNAME, iptables and qmail


On Mon, 6 May 2002, Michal Melewski wrote:

> Hello
> Try to add following lines into your firewall script:
> iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT
> iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP
> iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT

this opens a gaping hole: anybody can get _any_ udp traffic to any port
through your firewall, provided it has the source port 53. Bad idea...
What about using the statefulness of the netfilter code to first let
queries out and then only let _answers_ back in?

Hint: Try reading a bit more carefully the iptables man page where it
talks about the "state" module (used by the -m state --state options).
It is the strongest point in the 2.4.x kernels' firewalling code, as
compared to 2.2.x kernels.

Bye
Giacomo

--
_________________________________________________________________

Giacomo Mulas <gmulas@ca.astro.it, giacomo.mulas@tin.it>
_________________________________________________________________

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel.: +39 070 71180 248     Fax : +39 070 71180 222
_________________________________________________________________

"When the storms are raging around you, stay right where you are"
                         (Freddy Mercury)
_________________________________________________________________


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: