Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [suse-security] How to replace FW_ALLOW_INCOMING_HIGHPORTS_UDP?
From: Ludwig Nussel (ludwig.nusselsuse.de)
Date: Mon Feb 07 2005 - 03:09:53 CST
Paul Elliott wrote:
> Ok, I have a dialup connection to the internet.
> I want to let hosts on my internal net use my ISP's domain name
> For 9.1 I had:
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
> But in 9.2 the startup process complained about this line
> so I commented it out in SuSEfirewall2.
Only the special keyword "DNS" is no longer supported. Nevertheless
I would recommend to avoid FW_ALLOW_INCOMING_HIGHPORTS_UDP if
> Now of course, attempts by hosts on my internal net to
> use dns fail and lines like this appear in /var/log/messages:
> Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=126.96.36.199 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36
> Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=188.8.131.52 LEN=56 TOS=0x10
> 192.168.86.4 is a host on my internal net and
> 184.108.40.206 and 220.127.116.11 are my ISP's dns servers!
> I believe the log entries are complaining about a UDP packet that
> was trying to go from my ISP's domain name service to my a host
> on my internal net.
No, read the message carefully: IN=eth0 OUT=modem0. It's got nothing
to do with FW_ALLOW_INCOMING_HIGHPORTS_UDP as it happens in the
forward chain in outgoing direction. You need to configure
masquerading to make this work. As others already suggested it's
generally a good idea to set up bind as caching only nameserver
instead. See MODIFY_NAMED_CONF_DYNAMICALLY in
/etc/sysconfig/network/config if your nameservers are assigned
dynamically by your provider.
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here