ipfw a DNS

Dan Lukes dan at obluda.cz
Sat Sep 6 21:30:21 CEST 2003


Frankus wrote:

> 00100   0      0 allow ip from any to any via lo0
> 01400  71   5810 allow tcp from any to any established
> 01500   0      0 allow ip from any to any frag
> 01600   0      0 allow tcp from any to 62.245.80.XX dst-port 22 setup
> 01700   0      0 deny log tcp from any to any in via de0 setup
> 01800   0      0 allow tcp from any to any setup
> *01900   0      0 allow udp from 62.245.80.XX to any dst-port 53 keep-state
> 02000   0      0 allow udp from 62.245.80.XX 53 to any*
> 65535 847 105265 deny ip from any to any


	Vime, bohuzel, prilis malo o sitove konfiguraci dotceneho pocitace a 
hodnote net.inet.ip.fw.one_pass a tak je jen velmi obtizne analyzovat 
konfiguraci firewallu.

	Takze se mohu mylit - ale nevidim tam, napriklad, nikde povoleni DNS 
TCP komunikace. Je urcite nosenim drivi do konference pripomenout, ze 
DNS komunikace probiha jak po UDP tak po TCP a zatimco pri specialni 
konfiguraci klientu snad lze pominout komunikaci po UDP, komunikaci po 
TCP nelze pominout nikdy.


	Dalsi komplikaci vidim v tom, ze ani pro UDP nevidim nic, co by 
dovolilo prichod odpovedi na jednou odeslany paket - pravidlo 1900 se 
vztahuje pouze na odchozi dotazy a nic jineho.

	

								Dan





More information about the Users-l mailing list