Mailinglist Archive: opensuse-security (256 mails)

< Previous Next >
How to replace FW_ALLOW_INCOMING_HIGHPORTS_UDP?
  • From: Paul Elliott <pelliott@xxxxxx>
  • Date: Thu, 3 Feb 2005 23:38:29 -0600
  • Message-id: <20050204053829.GA7287@xxxxxx>

Ok, I have a dialup connection to the internet.
I want to let hosts on my internal net use my ISP's domain name
service.

For 9.1 I had:

FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"

But in 9.2 the startup process complained about this line
so I commented it out in SuSEfirewall2.

Now of course, attempts by hosts on my internal net to
use dns fail and lines like this appear in /var/log/messages:

Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36
Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10

192.168.86.4 is a host on my internal net and
199.170.88.10 and 199.170.88.29 are my ISP's dns servers!

I believe the log entries are complaining about a UDP packet that
was trying to go from my ISP's domain name service to my a host
on my internal net.

Now that FW_ALLOW_INCOMING_HIGHPORTS_UDP is not allowed, how
do allow packets like this to go thru?

Thank You.

--
Paul Elliott 1(512)837-1096
pelliott@xxxxxx PMB 181, 11900 Metric Blvd Suite J
http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
< Previous Next >