Mailinglist Archive: opensuse-security (256 mails)
| < Previous | Next > |
Re: [suse-security] How to replace FW_ALLOW_INCOMING_HIGHPORTS_UDP?
- From: Markus Feilner <lists@xxxxxxxxxxxxxx>
- Date: Fri, 4 Feb 2005 13:06:36 +0100
- Message-id: <200502041306.37107.lists@xxxxxxxxxxxxxx>
Am Freitag, 4. Februar 2005 06:38 schrieb Paul Elliott:
> Ok, I have a dialup connection to the internet.
> I want to let hosts on my internal net use my ISP's domain name
> service.
>
> For 9.1 I had:
>
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
>
> But in 9.2 the startup process complained about this line
> so I commented it out in SuSEfirewall2.
>
> Now of course, attempts by hosts on my internal net to
> use dns fail and lines like this appear in /var/log/messages:
>
> Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0
> OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10
> PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36 Feb 3
> 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
> SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10
>
> 192.168.86.4 is a host on my internal net and
> 199.170.88.10 and 199.170.88.29 are my ISP's dns servers!
>
> I believe the log entries are complaining about a UDP packet that
> was trying to go from my ISP's domain name service to my a host
> on my internal net.
>
> Now that FW_ALLOW_INCOMING_HIGHPORTS_UDP is not allowed, how
> do allow packets like this to go thru?
>
> Thank You.
Well, you can user a custom script and add your own rules - learning
this will provide you with the ability to allow/forbid any
service/traffic you like, independent from SuSEfirewall's
capabilities...
But I would advise you to use a local caching-only dns server - setup is
very easy with suse - it's in the handbook. then open dns ports on your
server to the internal net and that's it. The advantages are (a little)
fewer dialups, probably faster dns name resolution, and one type of
connection less from your internal Pcs to the internet. Furthermore,
you can control the dns-resolution centrally.
Did that help?
--
Mit freundlichen Grüßen
Markus Feilner
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail mfeilner@xxxxxxxxxxxxxx web http://www.feilner-it.net
> Ok, I have a dialup connection to the internet.
> I want to let hosts on my internal net use my ISP's domain name
> service.
>
> For 9.1 I had:
>
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
>
> But in 9.2 the startup process complained about this line
> so I commented it out in SuSEfirewall2.
>
> Now of course, attempts by hosts on my internal net to
> use dns fail and lines like this appear in /var/log/messages:
>
> Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0
> OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10
> PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36 Feb 3
> 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
> SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10
>
> 192.168.86.4 is a host on my internal net and
> 199.170.88.10 and 199.170.88.29 are my ISP's dns servers!
>
> I believe the log entries are complaining about a UDP packet that
> was trying to go from my ISP's domain name service to my a host
> on my internal net.
>
> Now that FW_ALLOW_INCOMING_HIGHPORTS_UDP is not allowed, how
> do allow packets like this to go thru?
>
> Thank You.
Well, you can user a custom script and add your own rules - learning
this will provide you with the ability to allow/forbid any
service/traffic you like, independent from SuSEfirewall's
capabilities...
But I would advise you to use a local caching-only dns server - setup is
very easy with suse - it's in the handbook. then open dns ports on your
server to the internal net and that's it. The advantages are (a little)
fewer dialups, probably faster dns name resolution, and one type of
connection less from your internal Pcs to the internet. Furthermore,
you can control the dns-resolution centrally.
Did that help?
--
Mit freundlichen Grüßen
Markus Feilner
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail mfeilner@xxxxxxxxxxxxxx web http://www.feilner-it.net
| < Previous | Next > |