On Tue, Jul 03, 2001 at 10:09:10PM -0700, Doug Barbieri wrote:
[dns firewalling snipped]
> This cleared up the connection problem. My question, however, is this--why
> should I care from which port a DNS client on a remote machine may connect
> *from*? As long as I only allow connections *to* port 53, shouldn't that
> be good enough? So why do I have the sneaking suspicion that my solution
> isn't very secure? :)
Here's how I do it:
# begin
ME='romana.hajhouse.org' # Machine's Internet address
IFACE_INET='eth0' # External interface
NS_SERVERS=`perl -ne '/^nameserver ([0-9.]+)/ && print "$1 "' /etc/resolv.conf` # a
regex, how apropos ;-)
# ...
for server in $NS_SERVERS; do
ipchains -A output -i $IFACE_INET -p tcp \
-s $ME 1024:65535 \
-d $server domain -j ACCEPT
ipchains -A input -i $IFACE_INET -p tcp \
-s $server domain \
-d $ME 1024:65535 -j ACCEPT
ipchains -A output -i $IFACE_INET -p udp \
-s $ME 1024:65535 \
-d $server domain -j ACCEPT
ipchains -A input -i $IFACE_INET -p udp \
-s $server domain \
-d $ME 1024:65535 -j ACCEPT
done
# end
The only significant difference is that I only allow traffic to the
nameservers listed in /etc/resolv.conf. That's about as secure as you can
get without resorting to extreme measures.
--
Henry House
OpenPGP key available from http://romana.hajhouse.org/hajhouse.asc
PGP signature
