---------- Forwarded message ---------- Date: Wed, 2 Feb 2000 21:40:16 +0100 (MET) From: Marc Heuse <marc@suse.de> To: Thomas Biege <thomas@suse.de> Subject: Re: [suse-security] SuSE firewall script + UDP ports (fwd) Hi,
I would like to set up a firewall using the firewals 1.4-6 packet on a 2.2.14 kernel. My problem is, that I want to use nameserver services from the (insecure) internet and time server services. For the time servers, I have to have an open UDP port 1026 for incoming UDP connections. If I set FW_UDP_ALLOW_INCOMING_HIGHPPORTS = "dns 1026" I get error messages, which are caused by a special handling of the string 'dns' in the script. Up to now, the only solution I have found is to set that variable to 'yes', but that opens all my high UDP ports, and would really prefer to have only those ports open, which I really need. Is there a better solution available?
you really don´t gain much security, if you restrict access to the udp highports to a special sourceport. however, if you want to do this: "53 1026" will help - however, 1026 is allocated dynmacally. so when it uses another port when it´s started, you are toasted. my tip: "yes" is okay
btw., it would have been nice, if the article in SuSE's support data base would mention, that the firewall script has to be restarted each time a new dial up connection has been made :-))
thats mentioned in rc.firewall I think - I don´t know for 1.4 but 2.0-pre does for sure :-) Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C