Re: [PLUG] myfirst fw rules(rev.2)

epike on Fri, 27 Dec 2002 12:10:34 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] myfirst fw rules(rev.2)

From: epike@isinet.com

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] myfirst fw rules(rev.2)

Date: Fri, 27 Dec 2002 11:57:09 -0500 (EST)

Delivery-date: Fri, 27 Dec 2002 12:10:34 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

> > I see three problems... > > 2.. UDP is stateless. Checking for state is a waste of time. Especially > for established or related packets. (It may even error when iptables tries > to insert the rule.) The question of allowing UDP at all is open to > debate. Some will argue that you shouldn't allow it all. Some will say > it allows some services to run faster. That's something you need to > decide. Now this is interesting! I've tested what I could do with this, (testing with DNS queries on port 53 UDP): 1. --destination-port only $IPTABLES -A INPUT -i $WAN_DEVICE -p udp \ -m multiport --destination-port $UDP_OPENPORTS -j ACCEPT results in recursive DNS not working. non-recursive DNS works (when named is queried about domain names it is authoritative for). As I figure out the problem is when the DNS server accept a RECURSIVE dns query (port 53), it turns around and issues a query of its own to the upstream name server! Since that name server cannot reply (it replies FROM 53 to some random port) the situation becomes worse because the DNS server (our localhost) retries the connection and eventually escalates to the root servers resulting in many many queries. 2. --state NEW instead of --destination-port $IPTABLES -A INPUT -i $WAN_DEVICE -p udp -m state --state NEW\ -m multiport --destination-port $UDP_OPENPORTS -j ACCEPT You are correct, this appears to be invalid. I have a logging instruction just after this and kernel fails to log many connections it should have denied. 3. --state ESTABLISHED,RELATED and then --destination-port This seems to work ok. All the DNS queries work properly. I would assume that the kernel somehow keeps track of the UDP connections and "remembers" them too. I also tried making random connections (nc -u to.myhost 8000) and they are logged and denied as supposed to be. I'd do a few more tests just to verify again but it seems to work fine for me. 4. --source-port and --destination-port Never tried it, but this should work also. (Setting sport and dport of 53 should work fine for dns servers.) jondz / epike _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

References:

Re: [PLUG] myfirst fw rules(rev.2)
From: Martin DiViaio <scatterbrained@usermail.com>

Prev by Date: [PLUG] Linux Medical Apps

Next by Date: Re: [PLUG] usb 2.0 pci card?

Previous by thread: Re: [PLUG] myfirst fw rules(rev.2)

Next by thread: [PLUG] spamassassin

Index(es):

Date

Thread