Tom,
thank you for incorporating DNSAmp in Shorewall. I tried Shorewall
4..6.3 but as far as I can see the DNSAmp macro does not work as I
expect. Perhaps I do something wrong.
With the imperfect firewall rule I test the DNS recursive query:
The rule:
IPTABLES(DROP) wan1:!$TRUSTEDHOSTS lan1 udp 53 ; -m string --algo bm
--hex-string "|01000001|"
Legitimate question: *dig -t mx prompt.nl @ns1.prompt.nl*
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41670
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;prompt.nl. IN MX
;; ANSWER SECTION:
prompt.nl. 3600 IN MX 30 wyatt.prompt.nl.
prompt.nl. 3600 IN MX 10 monk.prompt.nl.
prompt.nl. 3600 IN MX 20 eisler.prompt.nl.
Now an illegitimate question: *dig -t mx shorewall.net @ns1.prompt.nl*
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32691
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;shorewall.net. IN MX
This is what I expect: only queries for which the DNS server is
responsible are handled. The DNSAmp macro should replace the imperfect
rule but the behaviour should be the same. I test this by replacing the
imperfect rule with the DNSAmp macro. With the new macro the rule becomes:
DNSAmp(DROP) wan1:!$TRUSTEDHOSTS lan1
The same questions from the same host results in "connection timed out;
no servers could be reached"
Legitimate question: *dig -t mx prompt.nl @ns1.prompt.nl*
;; global options: +cmd
;; connection timed out; no servers could be reached
and the illegitimate question: *dig -t a shorewall.net @ns1.prompt.nl*
;; global options: +cmd
;; connection timed out; no servers could be reached
Tom Eastep schreef op 20-8-2014 2:29:
2) A DNSAmp action has been added. This action matches recursive UDP
DNS queries. The default disposition is DROP which can be
overridden by the single action parameter (e.g, 'DNSAmp(REJECT)'
will reject these queries). Recursive DNS queries are the basis for
'DNS Amplification' attacks; hence the action name.
--
Regards,
Ruud Baart
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
