On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:

so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023

It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024 Anders

-----BEGIN PGP SIGNED MESSAGE----- Hi guys!

...

...

FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"

means: allow UDP traffic coming *from* the domain (53) and ntp (123) ports to any high UDP port on the firewall machine. At least in 2.1 it does... Andy - -- Andreas J. Mueller email: PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPcBqdvobN5o9QdlBAQFuQQVAg/gvEUTvO08LzHqSXM8YFKdSKStB2dXs Z+buDfR8v2ybTimGWBRESR5OscqHMvaDn7GJGtWytcEJM7EB1Qx7ZYe/WxI+r3SR 3FOwQnTz/jHdsBwl/NPv3LQmhVR8H9IzX8xPrVQNnGs/LtK0cIszuGhwaUEfSl8/ 7pt2x+Dy/5A9kRqa/SHQzYKg2yqtZJaKTinVV+fg8bbxvbrJXxRf2Z5kKbpg2n8U =+TWK -----END PGP SIGNATURE-----

On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:

* Anders Johansson; on 30 Oct, 2002 wrote:

...

On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:

...

so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023

It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024

Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023

[Dd][Nn][Ss]) OPEN_DNS=yes test "$OPEN_DNS" = yes && { test -z "$NAMESERVERS" && \ echo 'Warning: No nameservers in /etc/resolv.conf!' for k in $NAMESERVERS; do test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport 53 --dport 1024:65535 # guess this has to be state NEW because the outgoing packet was not seen when # doing autodialing... XXX - or? $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL ATED -p udp -s $k --sport 53 --dport 1024:65535 done done }

Maybe I am mistaken

The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it) Anders

Hello Andreas On Thursday 31 October 2002 00.32, Andreas J Mueller wrote:

Hi Anders!

...

The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)

"DNS" is a special value you can use for FW_ALLOW_INCOMING_HIGHPORTS_UDP. It will allow access to UDP ports >= 1023 for the nameservers defined in /etc/resolv.conf only.

Yes, but the config file says "Common: "DNS" or "domain ntp"", but both "domain" and "ntp" will cause *all* udp ports to be open to *all* hosts, not just those in resolv.conf. Anders

On Thu, Oct 31, 2002 at 12:46:37AM +0100, Mathias Homann wrote:

...

As for "UDP wide open": Did you consider the fact that every filtered UDP port is reported as "open" by an nmap scan?

AH! now THAT is the bit of information I was looking for!

nmap will report everything as "open" for which it doesn't receive an explicit ICMP_PORT_UNREACH. Unless you've configured your firewall to REJECT instead of DROP, nmap will not see any responses at all. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann

On Thursday 31 October 2002 00.27, Anders Johansson wrote: <snip> Also, if I'm reading this correctly *) test "$DONE_ALL" = yes || for CHAIN in input_int input_dmz input _ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp --sp ort $j --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABL ISHED,RELATED -p udp --sport $j --dport 1024:65535 done ;; It looks like if you have anything unrecognized (like "domain" or "ntp") then all high udp ports will be open

* Anders Johansson; on 31 Oct, 2002 wrote:

On Thursday 31 October 2002 00.33, Anders Johansson wrote:

...

It looks like if you have anything unrecognized (like "domain" or "ntp") then all high udp ports will be open

Agh, --sport $j, I'm an idiot. Ignore

Well then ignore my previous post. I was getting lost in trying to get the ESTABLISHED,RELATED combo with FW_ALLOW_HIGHPORT_UDP -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx