AW: IPChains Question (compatibility mode on kernel 2.4.x)
From: Michael Kluge (michael.kluge_at_wundermedia.de)
Date: Tue, 13 May 2003 16:02:40 +0200 To: "Sebastian Muniz" <email@example.com>, "Bill Tihen" <firstname.lastname@example.org>
> You are missing the point.
> ddp 37 DDP # Datagram Delivery Protocol
> Seems you are trying to block ddp, that is a protocol that runs
> _over_ tcp or udp
Well, I don't think so! DDP is part of the AppleTalk protocol suit.
It may run over IP but not over TCP or UDP.
> Firewall can decide on the port but examining
> the port source/address of tcp and udp.
> For instance if you want to deny or accept ddp you should block/accept
> tcp/udp arriving on port 37.
No! DDP is a protocol, not a service! To block DDP at all you must do
-A input -i eth0 -p ddp -j DENY
The problem is, that ipchains does not know much about ddp. You can't
filter ddp traffic by the used ports. Either ACCEPT all ddp traffic or
Port filtering of ddp is simply not supported by ipchains.
See also (E.g. on your linux system):
# Datagram Delivery Protocol services
rtmp 1/ddp # Routing Table
nbp 2/ddp # Name Binding Protocol
echo 4/ddp # AppleTalk Echo
zip 6/ddp # Zone Information
ddp 37 DDP # Datagram Delivery Protocol