[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQ4: How to prevent by-passing firewall rules by sending UDP:53

Subject: Re: [cobalt-users] RaQ4: How to prevent by-passing firewall rules by sending UDP:53
From: "Al-Juhani" <aljuhani@xxxxxxxxx>
Date: Mon Jan 26 19:32:01 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> > Hi,
> >
> > It sounds like your allowing incoming UDP port 53 packets FROM ANYWHERE
to
> > any other port.
> >
> > Change your firewall rules so that they are only allowed from the
external
> > DNS server(s) you use.
> >
> > ipchains -A input -p udp -s <REMOTE DNS SERVER IP> 53 -j ACCEPT
> > ipchains -A input -p udp -s 0/0 53 -j DENY
> >
> >
> > If this is not an option, for example if you run your own dns, change
the
> > rules to allows UDP 53 packets only to UDP 53 on your server.
> >
> > ipchains -A input -p udp -s 0/0 53 -d <YOUR IP> 53 -j ACCEPT
> > ipchains -A input -p udp -s 0/0 53 -j DENY
> >
> > I constructed these ipchains rules from memory, so check the syntax
before
> > you use ;)
> >
> > Regards
> >
>
> Ian is correct - but remember, if you run your own dns, then the "root"
> servers have to be able to "see" you (your dns) or you "die" (disapear
from
> the net).  You pretty much "have" to allow inbound destination port 53
(that
> is people calling you for name service) and have to allow outbound temp
(high
> order ports - so your dns can answer) but can chop most other (again,
> depending upon what services you run).
>
>
> --
> Larry Smith
> SysAd ECSIS.NET
> sysad@xxxxxxxxx

Many thanks to Ian and Larry for thier help  ...

I applied the following rules:

ipchains -A input -p udp -s My-Name-Server-1 53 -j ACCEPT
ipchains -A input -p udp -s My-Name-Server-2 53 -j ACCEPT
ipchains -A input -p udp -s 0/0 53 -j DENY

and it worked BUT the downside I was unable to connect pop3 and ftp so I
just flushed the rules and enabled logging.
I tried again to pop3 and found from the logs that the ISP i'm using sends
tcp traffic through thier DNS IP with source port UDP 53 and as a result it
gets blocked ..

Well, either I have to disable the third rule which is not what I want or
allow my ISP DNS to have access similar to the one granted to my own DNS!!
..

But then we have a 150+ plus ISPs within the country that I have to give
access to thier DNS source port 53 to enable our users check thier POP3
acconts...

Http traffic works normally with no problems.


Thanks

Al-Juhani
aljuhani@xxxxxxxxx

References:
- Re: [cobalt-users] RaQ4: How to prevent by-passing firewall rules by sending UDP:53
  - From: Ian Gibbons
- Re: [cobalt-users] RaQ4: How to prevent by-passing firewall rules by sending UDP:53
  - From: Larry Smith

Prev by Date: [cobalt-users] Mail Login error
Next by Date: Re: [cobalt-users] raq 4r max ram
Previous by thread: Re: [cobalt-users] RaQ4: How to prevent by-passing firewall rules by sending UDP:53
Next by thread: [cobalt-users] cron hourly help please

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index