|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [suse-security] How to replace FW_ALLOW_INCOMING_HIGHPORTS_UDP?
From: Ludwig Nussel (ludwig.nussel
suse.de)
Date: Mon Feb 07 2005 - 03:09:53 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul Elliott wrote:
> Ok, I have a dialup connection to the internet.
> I want to let hosts on my internal net use my ISP's domain name
> service.
>
> For 9.1 I had:
>
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
>
> But in 9.2 the startup process complained about this line
> so I commented it out in SuSEfirewall2.
Only the special keyword "DNS" is no longer supported. Nevertheless
I would recommend to avoid FW_ALLOW_INCOMING_HIGHPORTS_UDP if
possible.
> Now of course, attempts by hosts on my internal net to
> use dns fail and lines like this appear in /var/log/messages:
>
> Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36
> Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10
>
> 192.168.86.4 is a host on my internal net and
> 199.170.88.10 and 199.170.88.29 are my ISP's dns servers!
>
> I believe the log entries are complaining about a UDP packet that
> was trying to go from my ISP's domain name service to my a host
> on my internal net.
No, read the message carefully: IN=eth0 OUT=modem0. It's got nothing
to do with FW_ALLOW_INCOMING_HIGHPORTS_UDP as it happens in the
forward chain in outgoing direction. You need to configure
masquerading to make this work. As others already suggested it's
generally a good idea to set up bind as caching only nameserver
instead. See MODIFY_NAMED_CONF_DYNAMICALLY in
/etc/sysconfig/network/config if your nameservers are assigned
dynamically by your provider.
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]