Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
RE: problem with dns
ramin at cannon
Jul 24, 2001, 7:15 AM
Post #1 of 4 (2131 views)
Permalink
>
> Just have rules for udp and tcp that allow connections in and out on ports
> 53
>
> eg. (for udp)
>
> # Allow iternal clients to access this DNS box
> iptables -A INPUT -p udp --dport 53 -j ACCEPT
> iptables -A OUPUT -p udp --sport 53 -j ACCEPT
>
> # Allow this box to ask ROOT servers...
> iptables -A INPUT -p udp --sport 53 -j ACCEPT
> iptables -A OUPUT -p udp --dport 53 -j ACCEPT
>
> add similar ones for tcp.

Similar ones for TCP? You mean if I bind the port of my telnet client to
port 53, then I can have a free ride on your firewall?

Ramin

>
> Cheers
> Nigel
RE: problem with dns [ In reply to ]
N.Morse at hyperknowledge
Jul 24, 2001, 7:33 AM
Post #2 of 4 (2058 views)
Permalink
DNS can use tcp for large packets I belive. Personally I would never run DNS
on a firewall.

However for TCP you could use stateful rule for the replies, and only allow
the connect packets IN from local net or OUT to outside world - i.e. block
tcp connect packets to 53 from outside.

I never said these rules were safe, just that they would work!

> Similar ones for TCP? You mean if I bind the port of my
> telnet client to
> port 53, then I can have a free ride on your firewall?
Re: problem with dns [ In reply to ]
ramin at cannon
Jul 24, 2001, 8:16 AM
Post #3 of 4 (2055 views)
Permalink
On Tue, Jul 24, 2001 at 03:33:38PM +0100, Nigel Morse wrote:

> DNS can use tcp for large packets I belive. Personally I would never run DNS
> on a firewall.
>
> However for TCP you could use stateful rule for the replies, and only allow
> the connect packets IN from local net or OUT to outside world - i.e. block
> tcp connect packets to 53 from outside.

I'd use stateful rules for both TCP and UDP. In other words, one should come
up with the *exact* senario as to what's _required_ to be open (both src/dst
ip/port) and in what _state_. God bless netfilter and its statefulness...

Ramin

> I never said these rules were safe, just that they would work!
>
> > Similar ones for TCP? You mean if I bind the port of my
> > telnet client to
> > port 53, then I can have a free ride on your firewall?
RE: problem with dns [ In reply to ]
N.Morse at hyperknowledge
Jul 24, 2001, 8:21 AM
Post #4 of 4 (2062 views)
Permalink
> I'd use stateful rules for both TCP and UDP. In other words,
> one should come
> up with the *exact* senario as to what's _required_ to be
> open (both src/dst
> ip/port) and in what _state_. God bless netfilter and its
> statefulness...

yes, you're right - and my own firewall script does exactly that! Should
have stopped and thought before banging out my advice!

Cheers
Nigel

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal