Re: IP Tables DNS issues
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Tue, 17 Jan 2006 13:53:36 -0600
On 16 Jan 2006, in the Usenet newsgroup comp.security.firewalls, in article
<1137484145.957697.290540@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, Vampyre wrote:
>I'm having problem with my IP tables allowing DNS queries,
I'm not surprised. Where did you come up with this script, or is it
do-it-yourself? You'd probably benefit from reading Rusty's two HOWTOs,
and similar docs, like
287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO
># Drop ICMP echo-request messages sent to broadcast or multicast addresses
I prefer to ignore all pings. What-ever
># Drop source routed packets
OK
># Enable TCP SYN cookie protection from SYN floods
Expecting the world to attack your systems?
># Log packets with impossible source addresses
Why bother?
># Allow unlimited traffic on the loopback interface
OK
># Set default policies
There is significant discussion of the merits of DROP (ignore) verses DENY
(send RESET or ICMP Type 3). Briefly, with DROP, the remote will try three
times because it thinks that the packets got lost enroute, while a DENY
tells the remote to FOAD. The DENY will _usually_ result in less traffic.
The exception is UDP (generally to ports 1025-1035 or so) used for windoze
messenger spam. This is often using false source addresses, and an ICMP
error is a waste of time.
># Previously initiated and accepted exchanges bypass rule checking
OK, but that only applies to TCP.
># Allow ICMP ECHO REQUESTS on LAN interface
As above. Ping _was_ a useful service in the 1980s.
># Allow DNS resolution
>$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state
>--state NEW -j ACCEPT
>$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state
>--state NEW -j ACCEPT
You might want to figure how you get 'state NEW' on a UDP packet. TCP is
only used when your name server returns a response with the 'TC' flag
in the DNS message (TrunCation to a maximum total of 512 octets).
># Allow ntp synchronization
As above ('state NEW').
>my squid wont work , nor does browsing from the local f/w box.
What are the exact error messages?
>It does work if i change default policy to DENY ?
As noted above, the difference between DROP and DENY is that you tell
unwanted packets to f*ck off. I don't know why this should make a
difference, but the way to find out is to run 'tcpdump -n' and look at
the packets (the -n to avoid contaminating the data with useless name
lookups).
>any idea's i'm running on RH9.0
RH9 was end-of-life in April 2004. There is limited (back-ported)
errata at download.fedoralegacy.org, but I'd recommend replacing
that with something more modern (Fedora Core 4 is current, FC5 is
in beta - should be out in 6-8 weeks).
Old guy
.
- References:
- IP Tables DNS issues
- From: Vampyre
- IP Tables DNS issues
- Prev by Date: Re: IE shows ".url" extension!.
- Next by Date: Can't turn on Windows Firewall
- Previous by thread: IP Tables DNS issues
- Next by thread: IE shows ".url" extension!.
- Index(es):
Relevant Pages
|
