[
https://issues.apache.org/jira/browse/CLOUDSTACK-5494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042114#comment-14042114
]
Nux edited comment on CLOUDSTACK-5494 at 6/24/14 1:51 PM:
----------------------------------------------------------
This is still causing problems (received the other day complains that my VR was
used in a DNS reflection attack). Here's a quick hack to "fix" it in ADV+SG
zone (and likely in Basic zone as well). Run this from VR's rc.local:
http://pastebin.com/raw.php?i=6C53WUg3
(moved the commands in pastebin as confluence messed them up)
was (Author: nuxro):
This is still causing problems (received the other day complains that my VR was
used in a DNS reflection attack). Here's a quick hack to "fix" it in ADV+SG
zone (and likely in Basic zone as well). Run this from VR's rc.local:
# allow DNS queries only from our public ranges, we determine this by looking
at the rule for port 8080 access
for i in `iptables-save |grep 8080|awk '{print $4}'`; do iptables -I INPUT -s
$i -p tcp -m tcp --dport 53 -j ACCEPT; iptables -I INPUT -s $i -p udp -m udp
--dport 53 -j ACCEPT; done
# remove the rule that accepts requests from everyone
iptables -D INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
iptables -D INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
> the dns resolver servers on the VRs are open to the world
> ---------------------------------------------------------
>
> Key: CLOUDSTACK-5494
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5494
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Affects Versions: 4.2.0, 4.3.0
> Reporter: Wei Zhou
> Assignee: Jayapal Reddy
> Priority: Critical
> Labels: security
> Fix For: Future
>
>
> Currently the port 53 (tcp and udp) on virtual routers are open, so everyone
> on the internet can visit the dns service on virtual routers. This may cause
> overload and security issue.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
