Mailinglist Archive: opensuse-security (256 mails)

< Previous Next >
Re: [suse-security] How to replace FW_ALLOW_INCOMING_HIGHPORTS_UDP?
  • From: Markus Feilner <lists@xxxxxxxxxxxxxx>
  • Date: Sat, 5 Feb 2005 21:07:58 +0100
  • Message-id: <200502052107.58212.lists@xxxxxxxxxxxxxx>
Am Samstag, 5. Februar 2005 02:47 schrieb Paul Elliott:
> On Fri, Feb 04, 2005 at 01:06:36PM +0100, Markus Feilner wrote:
> > Well, you can user a custom script and add your own rules -
> > learning this will provide you with the ability to allow/forbid any
> > service/traffic you like, independent from SuSEfirewall's
> > capabilities...
> > But I would advise you to use a local caching-only dns server -
> > setup is very easy with suse - it's in the handbook. then open dns
> > ports on your server to the internal net and that's it. The
> > advantages are (a little) fewer dialups, probably faster dns name
> > resolution, and one type of connection less from your internal Pcs
> > to the internet. Furthermore, you can control the dns-resolution
> > centrally.
> > Did that help?
>
> Does this mean that there is no easy way with SuSEfirewall2, to
> allow hosts on the internal network to use specific dns servers
> on the external network?
Sure there is. But why would you? Is there a necessity?

- The easiest way is an caching-only dns server. definitely. RTFM + five
minutes.
- The second easiest is ading three (or four) lines of iptables to a
custom script.
- The third way is to read about SuSEfirewall and add the right source
IP/ destination IP/protocol/port to FW_FORWARD, and
FW_ALLOW_INCOMING_HIGHPORTS_UDP opening the right ports in
external/internal udp (port 53) and check if it works.

But:
The third solution needs as much reading as the others, but it don't get
you that far. ;-).

The first solution is the most secure one (beat me if I'm telling
nonsense, list... ;-)
--
Mit freundlichen Grüßen
Markus Feilner
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail mfeilner@xxxxxxxxxxxxxx web http://www.feilner-it.net

< Previous Next >