Hi, >> I prefer to use rules like >> DNS(ACCEPT) ext $FW >> >> The built in macros, mostly, insure that you get all the requisite ports >> opened to do what you need.
Finally had a minute to test this, and realized that $FW evaluates to 0/0. Is that correct? If so, that's allowing any server on the Internet to query any box on my network for DNS, correct? # iptables -nL|grep 53 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 Where do the "Late DNS Replies" come from? I don't see that reflected in the DNS macro: ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 53 PARAM - - tcp 53 I know there is a very specific set of rules for DNS that can be used to minimize attack. It's outlined in the OReilly Firewall book, but it's an arduous process trying to create every specific rule. Any help would be greatly appreciated. Thanks, Alex ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
