Giacomo, How about an example!?!
I'm a little surprise as to why you'd point out an exploit and not tell people how to fix it... Thanks, Gary -----Original Message----- From: Giacomo Mulas [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 3:48 AM To: Michal Melewski Cc: [EMAIL PROTECTED] Subject: Re: CNAME, iptables and qmail On Mon, 6 May 2002, Michal Melewski wrote: > Hello > Try to add following lines into your firewall script: > iptables -A INPUT -p udp -i $DEV -s 0/0 --sport 53 -j ACCEPT > iptables -A INPUT -p udp -i $DEV -s 0/0 -j DROP > iptables -A OUTPUT -p udp -i $DEV -d 0/0 --dport 53 -j ACCEPT this opens a gaping hole: anybody can get _any_ udp traffic to any port through your firewall, provided it has the source port 53. Bad idea... What about using the statefulness of the netfilter code to first let queries out and then only let _answers_ back in? Hint: Try reading a bit more carefully the iptables man page where it talks about the "state" module (used by the -m state --state options). It is the strongest point in the 2.4.x kernels' firewalling code, as compared to 2.2.x kernels. Bye Giacomo -- _________________________________________________________________ Giacomo Mulas <[EMAIL PROTECTED], [EMAIL PROTECTED]> _________________________________________________________________ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _________________________________________________________________ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _________________________________________________________________ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.351 / Virus Database: 197 - Release Date: 4/19/2002 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]