* Philipp Snizek <mailinglists@belfin.ch> [010524 12:55]:
only block 53/tcp.
This is what I have now ( I am using DNS caching server only maybe I am doing this wrong)
ipchains -A input -p tcp -s $REMOTENET -d $OUTERNET 53 -j ACCEPT ipchains -A input -p udp -s $REMOTENET -d $OUTERNET 53 -j ACCEPT
and you are suggesting
ipchains -A input -p tcp -s $REMOTENET -d $OUTERNET 53 -j REJECT
No. u don't need tcp. U will only query on udp/53 since almost all of your dns queries will not be larger than 512bytes. If you do requests >512bytes your bind will use automatically tcp. But this won't happen. If you have two dns servers (one pri and one secondary dns) they will be in need to do zone x-fers. This also needs tcp. Because you only run a caching dns server all you need is udp/53 : Your dns -----> other party dns request 1024: -----> 53 udp 1024: <----- 53 udp answer
open 1024:5000 for client requests and receiving answers. These are usually the most used ports for communication from client to servers to client if you use masquerading on your linux box. Since you've got a dial up "router" you do use masquerading.
This part I did not get the picture I have an ADSL connection (so its pppoe) Is this what you mean
Ah, ok you have adsl. I saw there a ppp0 device in your ipchains. I thought this would be some kind of an analog modem or some isdn TA. If it's a leased line (I guess so; I never played before with pppoe) then you don't need masquerading if you don't wish to use it. See above and below explanation.
ipchains -A input -p tcp -s $REMOTENET -d $OUTERNET 1024:5000 -j ACCEPT
you don't need that at all because it's tcp
ipchains -A input -p udp -s $REMOTENET -d $OUTERNET 1024:5000 -j ACCEPT
This you need. I don't understand OUTERNET (is this your dmz network??) Ipchains for DNS only: #requesting rule ipchains -A output -p udp -s $my.dns.server 1024:5000 -d $internet 53 -i $interneteth -j accept #answering rule ipchains -A input -p udp -s $internet 53 -d $my.dns.server 1024:5000 -i $interneteth -j accept Be sure that bind is only bound to your $internallaneth. If so, bind will not act on your $interneteth and won't show an open 53/tcp port.
But if you like I can give you some real reasons for being
afraid :-))
I would appreciate being asigned for reading homework guidance
Read Oreilly's Building internet firewalls. This is a standard security bed lecutre.
-- Togan Muftuoglu
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com