SLUG Mailing List Archives
Re: [SLUG] re: ipchains and dns server
- To: Umar Goldeli <umar@xxxxxxxxxxxxxx>
- Subject: Re: [SLUG] re: ipchains and dns server
- From: Damien Gardner Jnr <rendrag@xxxxxxxxxxx>
- Date: Wed Aug 23 10:00:02 2000
- Cc: slug@xxxxxxxxxxx
- User-agent: Mutt/1.0.1i
On Wed, Aug 23, 2000 at 07:25:10AM +1000, Umar Goldeli said:
--> Not neccessarily - remember that all your queries will *go* to a port 53
--> of the other dns servers.. so you can define an inbound rule of dest port
--> = 53. To let that stream continue happily.
But having an inbound rule allowing port 53 traffic in isn't going to help much if the traffic isn't coming back in to port 53.. i.e. if bind makes a query from say port 1534, how is the reply data going to get back in if you don't have that port opened in your firewalling?
Now sure, you could add an inbound rule of src port = 53 which would get around this.. - but then you've just circumvented your whole firewall, as all the hax0r that wants to get into your box has to do is use a source port of 53, and they have full access to your machine.. :\
Damien Gardner Jnr - Dip.EE StudIEAust
rendrag@xxxxxxxxxxx - http://www.rendrag.net/
Ph: 0417 055 052 - Fax: 02 6299 9713
-- A hard-on does NOT count as personal growth.