ramin at cannon
Jul 24, 2001, 8:16 AM
Post #3 of 4
On Tue, Jul 24, 2001 at 03:33:38PM +0100, Nigel Morse wrote:
> DNS can use tcp for large packets I belive. Personally I would never run DNS
> on a firewall.
> However for TCP you could use stateful rule for the replies, and only allow
> the connect packets IN from local net or OUT to outside world - i.e. block
> tcp connect packets to 53 from outside.
I'd use stateful rules for both TCP and UDP. In other words, one should come
up with the *exact* senario as to what's _required_ to be open (both src/dst
ip/port) and in what _state_. God bless netfilter and its statefulness...
> I never said these rules were safe, just that they would work!
> > Similar ones for TCP? You mean if I bind the port of my
> > telnet client to
> > port 53, then I can have a free ride on your firewall?