AW: IPChains Question (compatibility mode on kernel 2.4.x)

• Previous message: Glynn Clements: "Re: IPChains Question (compatibility mode on kernel 2.4.x)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 13 May 2003 16:02:40 +0200
To: "Sebastian Muniz" <seba@mtss.dnsalias.org>, "Bill Tihen" <bill@tasis.ch>

Hi!

>
> Hi!
> You are missing the point.
>
> ddp 37 DDP # Datagram Delivery Protocol
> Seems you are trying to block ddp, that is a protocol that runs
> _over_ tcp or udp

Well, I don't think so! DDP is part of the AppleTalk protocol suit.
It may run over IP but not over TCP or UDP.

> Firewall can decide on the port but examining
> the port source/address of tcp and udp.
> For instance if you want to deny or accept ddp you should block/accept
> tcp/udp arriving on port 37.

No! DDP is a protocol, not a service! To block DDP at all you must do
sth.
like this:
-A input -i eth0 -p ddp -j DENY

The problem is, that ipchains does not know much about ddp. You can't
filter ddp traffic by the used ports. Either ACCEPT all ddp traffic or
not.
Port filtering of ddp is simply not supported by ipchains.

See also (E.g. on your linux system):
/etc/services:
...
#
# Datagram Delivery Protocol services
#
rtmp 1/ddp # Routing Table
Maintenance Prot
ocol
nbp 2/ddp # Name Binding Protocol
echo 4/ddp # AppleTalk Echo
Protocol
zip 6/ddp # Zone Information
Protocol
#
...

and

/etc/protocols:
...
ddp 37 DDP # Datagram Delivery Protocol
...

> Byes!
>

Regards,
Michael.

• Previous message: Glynn Clements: "Re: IPChains Question (compatibility mode on kernel 2.4.x)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]