[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] UDP wide open?!?!?



On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
> * Anders Johansson; <andjoh@xxxxxxxxxx> on 30 Oct, 2002 wrote:
> >On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
> >> so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as
> >> they are not >1023
> >
> >It means incoming traffic on high ports *related* to dns or ntp. Just as a
> >"passive ftp" ftp server accepts incoming high ports despite the ftp port
> >being 21 which is << 1024
>
> Sorry Anders but I can not make it from the script Where do you read
> this in the code for this interpretation ? my understanding is the other
> way around here you need to place ports >1023

[Dd][Nn][Ss])
                OPEN_DNS=yes

test "$OPEN_DNS" = yes && {
   test -z "$NAMESERVERS" && \
       echo 'Warning: No nameservers in /etc/resolv.conf!'
   for k in $NAMESERVERS; do
       test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do
           $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k 
--sport
 53 --dport 1024:65535
# guess this has to be state NEW because the outgoing packet was not seen when
# doing autodialing... XXX - or?
           $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state 
NEW,ESTABLISHED,REL
ATED -p udp -s $k --sport 53 --dport 1024:65535
        done
   done
}

>
> Maybe I am mistaken

The documentation in the SuSEfirewall2 script seems to be wrong. It should be 
"dns" not "domain", and ntp doesn't seem to be supported (at least I can't 
find it)

Anders

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here