Mailing List Archive: iptables: User

RE: problem with dns

Index | Next | Previous | View Threaded

ramin at cannon

Jul 24, 2001, 7:15 AM

Post #1 of 4 (899 views)
Permalink

RE: problem with dns

>
> Just have rules for udp and tcp that allow connections in and out on ports
> 53
>
> eg. (for udp)
>
> # Allow iternal clients to access this DNS box
> iptables -A INPUT -p udp --dport 53 -j ACCEPT
> iptables -A OUPUT -p udp --sport 53 -j ACCEPT
>
> # Allow this box to ask ROOT servers...
> iptables -A INPUT -p udp --sport 53 -j ACCEPT
> iptables -A OUPUT -p udp --dport 53 -j ACCEPT
>
> add similar ones for tcp.

Similar ones for TCP? You mean if I bind the port of my telnet client to
port 53, then I can have a free ride on your firewall?

Ramin

>
> Cheers
> Nigel

N.Morse at hyperknowledge

Jul 24, 2001, 7:33 AM

Post #2 of 4 (854 views)
Permalink

RE: problem with dns [In reply to]

DNS can use tcp for large packets I belive. Personally I would never run DNS
on a firewall.

However for TCP you could use stateful rule for the replies, and only allow
the connect packets IN from local net or OUT to outside world - i.e. block
tcp connect packets to 53 from outside.

I never said these rules were safe, just that they would work!

> Similar ones for TCP? You mean if I bind the port of my
> telnet client to
> port 53, then I can have a free ride on your firewall?

ramin at cannon

Jul 24, 2001, 8:16 AM

Post #3 of 4 (847 views)
Permalink

Re: problem with dns [In reply to]

On Tue, Jul 24, 2001 at 03:33:38PM +0100, Nigel Morse wrote:

> DNS can use tcp for large packets I belive. Personally I would never run DNS
> on a firewall.
>
> However for TCP you could use stateful rule for the replies, and only allow
> the connect packets IN from local net or OUT to outside world - i.e. block
> tcp connect packets to 53 from outside.

I'd use stateful rules for both TCP and UDP. In other words, one should come
up with the *exact* senario as to what's _required_ to be open (both src/dst
ip/port) and in what _state_. God bless netfilter and its statefulness...

Ramin

> I never said these rules were safe, just that they would work!
>
> > Similar ones for TCP? You mean if I bind the port of my
> > telnet client to
> > port 53, then I can have a free ride on your firewall?

N.Morse at hyperknowledge

Jul 24, 2001, 8:21 AM

Post #4 of 4 (857 views)
Permalink

RE: problem with dns [In reply to]

> I'd use stateful rules for both TCP and UDP. In other words,
> one should come
> up with the *exact* senario as to what's _required_ to be
> open (both src/dst
> ip/port) and in what _state_. God bless netfilter and its
> statefulness...

yes, you're right - and my own firewall script does exactly that! Should
have stopped and thought before banging out my advice!

Cheers
Nigel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads