AW: IPChains Question (compatibility mode on kernel 2.4.x)

From: Michael Kluge (michael.kluge_at_wundermedia.de)
Date: 05/13/03

  • Next message: SimonChan_at_lifeisgreat.com.sg: "hardening scripts"
    Date: Tue, 13 May 2003 16:02:40 +0200
    To: "Sebastian Muniz" <seba@mtss.dnsalias.org>, "Bill Tihen" <bill@tasis.ch>
    
    

    Hi!

    >
    > Hi!
    > You are missing the point.
    >
    > ddp 37 DDP # Datagram Delivery Protocol
    > Seems you are trying to block ddp, that is a protocol that runs
    > _over_ tcp or udp

    Well, I don't think so! DDP is part of the AppleTalk protocol suit.
    It may run over IP but not over TCP or UDP.

    > Firewall can decide on the port but examining
    > the port source/address of tcp and udp.
    > For instance if you want to deny or accept ddp you should block/accept
    > tcp/udp arriving on port 37.

    No! DDP is a protocol, not a service! To block DDP at all you must do
    sth.
    like this:
    -A input -i eth0 -p ddp -j DENY

    The problem is, that ipchains does not know much about ddp. You can't
    filter ddp traffic by the used ports. Either ACCEPT all ddp traffic or
    not.
    Port filtering of ddp is simply not supported by ipchains.

    See also (E.g. on your linux system):
    /etc/services:
    ...
    #
    # Datagram Delivery Protocol services
    #
    rtmp 1/ddp # Routing Table
    Maintenance Prot
    ocol
    nbp 2/ddp # Name Binding Protocol
    echo 4/ddp # AppleTalk Echo
    Protocol
    zip 6/ddp # Zone Information
    Protocol
    #
    ...

    and

    /etc/protocols:
    ...
    ddp 37 DDP # Datagram Delivery Protocol
    ...

    > Byes!
    >

    Regards,
    Michael.


  • Next message: SimonChan_at_lifeisgreat.com.sg: "hardening scripts"