On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
* Anders Johansson;
on 30 Oct, 2002 wrote: On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023
[Dd][Nn][Ss]) OPEN_DNS=yes test "$OPEN_DNS" = yes && { test -z "$NAMESERVERS" && \ echo 'Warning: No nameservers in /etc/resolv.conf!' for k in $NAMESERVERS; do test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport 53 --dport 1024:65535 # guess this has to be state NEW because the outgoing packet was not seen when # doing autodialing... XXX - or? $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL ATED -p udp -s $k --sport 53 --dport 1024:65535 done done }
Maybe I am mistaken
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it) Anders