l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2001 Dec 30 17:07

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Firewall question...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Firewall question...



On Tue, Jul 03, 2001 at 10:09:10PM -0700, Doug Barbieri wrote:
[dns firewalling snipped]
> This cleared up the connection problem. My question, however, is this--why
> should I care from which port a DNS client on a remote machine may connect
> *from*? As long as I only allow connections *to* port 53, shouldn't that
> be good enough? So why do I have the sneaking suspicion that my solution
> isn't very secure? :)

Here's how I do it:

# begin
ME='romana.hajhouse.org' # Machine's Internet address
IFACE_INET='eth0' # External interface
NS_SERVERS=`perl -ne '/^nameserver ([0-9.]+)/ && print "$1 "' /etc/resolv.conf` # a regex, how apropos ;-)

# ...

for server in $NS_SERVERS; do
	ipchains -A output -i $IFACE_INET -p tcp  \
		-s $ME 1024:65535 \
		-d $server domain -j ACCEPT 
	ipchains -A input  -i $IFACE_INET -p tcp  \
		-s $server domain \
		-d $ME 1024:65535 -j ACCEPT 
	ipchains -A output -i $IFACE_INET -p udp  \
		-s $ME 1024:65535 \
		-d $server domain -j ACCEPT 
	ipchains -A input  -i $IFACE_INET -p udp  \
		-s $server domain \
		-d $ME 1024:65535 -j ACCEPT 
done
# end

The only significant difference is that I only allow traffic to the
nameservers listed in /etc/resolv.conf. That's about as secure as you can
get without resorting to extreme measures.

-- 
Henry House
OpenPGP key available from http://romana.hajhouse.org/hajhouse.asc

Attachment: pgp00002.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.