/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ > for what is udp needed except DNS and traceroute? NTP, syslog, FSP, NetBIOS (apparently), BOOTP and DHCP, RPC (Sun and MS variants), lots of online games, streaming media and don't forget SGI dogfight! > is it ok for a normal linux box to allow udp 53 and udp 33434:33463 > (traceroute) and deny everything else? There's no answer to that type of question unless we know what your 'security policy' is and what your setup looks like in detail. It's your call to make, really. The DNS destination port is open in many 'firewall' configurations, which makes it a prime target for abuse by trojans on your private net to communicate with the outside. You'd be better off by installing a name server (preferrably Joe Bernstein's and not BIND) on the Linux box and only allowing that to do DNS, while the internal net resolves on the Linux box. If you use only a specific name server, e.g. your provider's, you can narrow down the ipchains rules to allow DNS contact only to that server. As for traceroute, you need to allow the ICMP replies to the UDP packets, of course. You don't need to allow inbound UDP packets, traceroute uses only outbound UDP packets. > a lot of trojans are using udp, so blocking it would be in general a > good thing. UDP is a connectionless protocol, so it's a bit hard to do anything really dangerous with it. Bull. UDP is connectionless, yes, but many protocols exist that use it to establish connections. It is just not performed by the transport layer, but higher up. And even if only one-way connections would be allowed, that's all you need for either a trojan on your computer receiving instructions this way (inbound) or a trojan on your computer sending info out to the world (outbound). UDP is used a lot for things like RealAudio and other streaming media, not to mention video conferencing applications. If you're not concerned about those types of apps, they it's probably ok to block it. All these protocols are extremely ugly, from a security point of view. They use dynamic ports and often transport sensitive data (video conferencing or voice over IP). It's best to use IPSec when making use of these, IMHO. Regards Tobias _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
