ipfw a DNS
Dan Lukes
dan at obluda.cz
Sat Sep 6 21:30:21 CEST 2003
Frankus wrote:
> 00100 0 0 allow ip from any to any via lo0
> 01400 71 5810 allow tcp from any to any established
> 01500 0 0 allow ip from any to any frag
> 01600 0 0 allow tcp from any to 62.245.80.XX dst-port 22 setup
> 01700 0 0 deny log tcp from any to any in via de0 setup
> 01800 0 0 allow tcp from any to any setup
> *01900 0 0 allow udp from 62.245.80.XX to any dst-port 53 keep-state
> 02000 0 0 allow udp from 62.245.80.XX 53 to any*
> 65535 847 105265 deny ip from any to any
Vime, bohuzel, prilis malo o sitove konfiguraci dotceneho pocitace a
hodnote net.inet.ip.fw.one_pass a tak je jen velmi obtizne analyzovat
konfiguraci firewallu.
Takze se mohu mylit - ale nevidim tam, napriklad, nikde povoleni DNS
TCP komunikace. Je urcite nosenim drivi do konference pripomenout, ze
DNS komunikace probiha jak po UDP tak po TCP a zatimco pri specialni
konfiguraci klientu snad lze pominout komunikaci po UDP, komunikaci po
TCP nelze pominout nikdy.
Dalsi komplikaci vidim v tom, ze ani pro UDP nevidim nic, co by
dovolilo prichod odpovedi na jednou odeslany paket - pravidlo 1900 se
vztahuje pouze na odchozi dotazy a nic jineho.
Dan
More information about the Users-l
mailing list