Mailinglist Archive: opensuse-security (487 mails)
| < Previous | Next > |
Re: [suse-security] UDP wide open?!?!?
- From: Togan Muftuoglu <toganm@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Oct 2002 02:00:13 +0200
- Message-id: <20021031000013.GF26538@xxxxxxxxxxxx>
* Anders Johansson; <andjoh@xxxxxxxxxx> on 31 Oct, 2002 wrote:
Ok Just to make this clear so I can have the documentation accordingly
this is when [Dd][Nn][Ss] for FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
which is the default in the config file. Then it will read the
$NAMESERVERS array which are the nameserver names that are placed in
/etc/resolv.conf and for each of them except 127.0.0.1 allow connection
for example when I have 212.156.4.4 in my /etc/resolv.conf this code
$LAA $IPTABLES -A $CHAIN -j $LOG ${LOG}"-ACCEPT" -p udp -s 212.1456.4.4
--sport 53 --dport 1024:65535
again $k would be 212.156.4.4 in this case
no domain is correct just do a grep dns /etc/services
Now the second part where the FW_ALLOW_INCOMING_UDP ports are used, I'll
try to see the {input_int} chains and try to follow from there on. So
This part still not clear
--
Togan Muftuoglu
Unofficial SuSE FAQ Maintainer
http://dinamizm.ath.cx
On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
Sorry Anders but I can not make it from the script Where do you read
this in the code for this interpretation ? my understanding is the other
way around here you need to place ports >1023
Ok Just to make this clear so I can have the documentation accordingly
[Dd][Nn][Ss])
OPEN_DNS=yes
test "$OPEN_DNS" = yes && {
test -z "$NAMESERVERS" && \
echo 'Warning: No nameservers in /etc/resolv.conf!'
for k in $NAMESERVERS; do
test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do
$LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport
53 --dport 1024:65535
this is when [Dd][Nn][Ss] for FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
which is the default in the config file. Then it will read the
$NAMESERVERS array which are the nameserver names that are placed in
/etc/resolv.conf and for each of them except 127.0.0.1 allow connection
for example when I have 212.156.4.4 in my /etc/resolv.conf this code
$LAA $IPTABLES -A $CHAIN -j $LOG ${LOG}"-ACCEPT" -p udp -s 212.1456.4.4
--sport 53 --dport 1024:65535
# guess this has to be state NEW because the outgoing packet was not seen when
# doing autodialing... XXX - or?
$IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL
ATED -p udp -s $k --sport 53 --dport 1024:65535
done
done
}
again $k would be 212.156.4.4 in this case
Maybe I am mistaken
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
no domain is correct just do a grep dns /etc/services
Now the second part where the FW_ALLOW_INCOMING_UDP ports are used, I'll
try to see the {input_int} chains and try to follow from there on. So
This part still not clear
--
Togan Muftuoglu
Unofficial SuSE FAQ Maintainer
http://dinamizm.ath.cx
| < Previous | Next > |