Re: [Shorewall-users] Blocking DNS cache queries

Tue, 08 Jul 2014 16:09:56 -0700 

I think it works.
In /etc/shorewal/params I defined all trusted networks. In /etc/shorewall/rules 

   ?SECTION NEW
   IPTABLES(DROP)     wan1:!$TRUSTEDHOSTS   $FW               udp 53 ;
   -m string --algo bm --hex-string "|01000001|"
   dropNotSyn         wan1                  $FW               tcp
   DNS_DDoS           wan1                  $FW               udp domain

For now, I think this is easy to maintain and effective.

   iptables -nvL
   904 80243 ~excl0     udp  --  *      *       0.0.0.0/0
   0.0.0.0/0            udp dpt:53 STRING match  "|01000001|" ALGO name
   bm TO 65535
   135  9213 DNS_DDoS   udp  --  *      *       0.0.0.0/0
   0.0.0.0/0            udp dpt:53

Thank you for your support.

Tom Eastep schreef op 8-7-2014 23:33:

On 7/8/2014 2:19 PM, Ruud Baart wrote:

I think I found part of the solution.

In /etc/shorewall/rules:
       IPTABLES(DROP) wan1 $FW udp 53 ; -m string --algo bm --hex-string
"|01000001|"
does not work. But
       iptables -I INPUT 1 -p udp --dport 53 -m string --algo bm
--hex-string "|01000001|" -j DROP
works.

I assume the place of the rule in the iptables rule set is important. In
the last case it is part of the chain INPUT and in the first case it is
part of the chain wa1-fw (of course this is specific for this server)

I would like the get it working in shorewall. Easier to maintain and
easier to make an exception for the internal systems. Is there a way to
get the rule on the correct position or chain?


Are there UDP 53 rules before that one in the rules file?

-Tom


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
Regards,

Ruud Baart


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users























					Reply via email to