RE: [suse-security] SuSE firewall2 configuration for zone transfer
Hi there, DNS Requests from Server to Server normaly uses UDP 53 (Source and Destination Port). However, if problems occur or packet size is > 512 bytes, it will change to Source Port >=1024 TCP and destination port 53 TCP. Cheers Knut Erik -----Original Message----- From: M. Edwin [mailto:edwin@nsi.co.id] Sent: Tuesday, July 22, 2003 1:36 PM To: suse-security@suse.com Subject: [suse-security] SuSE firewall2 configuration for zone transfer Hi list, I just setup name server for our domain. I allow-transfer on named.conf to external server outside our domain for secondary name server. allow-query { any; }; allow-transfer { 202.158.40.1; }; When I check on the log (/var/log/messages) there are several lines show that the zone transfer to that server on highport is not allow like this one: Jul 22 13:25:25 mail /usr/sbin/named[28877]: client ::ffff:202.158.40.1#54516: zone transfer denied I think it is because the firewall, so I check the firewall configuration. But I think everything is Ok (correct me if I'm wrong). I put the lines FW_SERVICES_EXT_UDP="53" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain" Anybody can give me advice? Kind Regards, M. Edwin
It means I also have to open highport TCP and TCP 53, right? My current firewall setting for TCP high port is FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" regards, Edwin
Hi there,
DNS Requests from Server to Server normaly uses UDP 53 (Source and Destination Port). However, if problems occur or packet size is > 512 bytes, it will change to Source Port >=1024 TCP and destination port 53 TCP.
Cheers Knut Erik
-----Original Message----- From: M. Edwin [mailto:edwin@nsi.co.id] Sent: Tuesday, July 22, 2003 1:36 PM To: suse-security@suse.com Subject: [suse-security] SuSE firewall2 configuration for zone transfer
Hi list,
I just setup name server for our domain. I allow-transfer on named.conf to external server outside our domain for secondary name server.
allow-query { any; }; allow-transfer { 202.158.40.1; };
When I check on the log (/var/log/messages) there are several lines show that the zone transfer to that server on highport is not allow like this one:
Jul 22 13:25:25 mail /usr/sbin/named[28877]: client ::ffff:202.158.40.1#54516: zone transfer denied
I think it is because the firewall, so I check the firewall configuration. But I think everything is Ok (correct me if I'm wrong) . I put the lines
FW_SERVICES_EXT_UDP="53" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain"
Anybody can give me advice?
Kind Regards, M. Edwin
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
----------------------------------- PT. Nusantara Systems International (http://www.nsi.co.id)
* M. Edwin wrote on Wed, Jul 23, 2003 at 15:10 +0800:
It means I also have to open highport TCP and TCP 53, right?
What do you mean with "highport"? ext:53 -> dmz:>1024? bind knows query-source or something. Set it to 53 and allow TCP+UDP port 53<->53 only. If you allow ext:53-->dmz:userport (or somethink), you have unprotected all high ports. Sometimes proxies use high ports as 8080 or 3128, and many services (including database servers, X, sometimes even NFS or other portmapped services) are known to do the same. So you should'n allow (any) TCP packets to arrive here. At least drop SYN, no ACK to prevent incomming TCP connections or use RELATED functionality of iptables. For UDP it is slightly more complicated. An attacker can set up a NS RR to its attacking host, insert some URL by eMail or such (IMG SRC="http://attacker/a.gif"). Your local DNS Server may sent a UDP packet to the attacker-server, which responds with UDP from port 53. Some stateful firewalls implement this by allowing "response" packets from some time window (60 seconds or what?). So an attacker would start an UDP attack after her DNS has been queried with the source port 53 (which can be implemented by some NAT or a DNS-server-and-attack-tool) ... If you allow 53<->53 only, she can attack your DNS ports only. Of course it also helps (e.g., in an DMZ) to have dedicated DNS servers (so you can attack the DNS service only at this IP in any case).
My current firewall setting for TCP high port is
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
If this allows active FTP, then you have the same problem here. An attacker just needs to start the attack from source port 20, which is quite common and together with sourceport 53 a common default in scan and attack tools. So I recommend not to do such configurations. An open firewall won't be a good one I think :-) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Knut Erik Hauslo
-
M. Edwin
-
Steffen Dettmer