Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Sat, 20 Jun 1998 04:37:05 -0400
From: Adam Sulmicki <adam@cfar.UMD.EDU>
To: linux-security@redhat.com
Subject: [linux-security] Named and Firewalls
Cc: adam@cfar.UMD.EDU


Since it seems that named is theme of the month. I though I would present
an example of using firewall to protect your bind service.

One of reasons for presenting is that in all examples shown so far
it seemed that everyone suggested to leave named full-open. However,
it does not always have to be case. Say, if you are running an private
network then you want just to allow named get data transfers from 
trusted host and that is all.

[root@eax /root]# cat ipfwadm-named
#!/bin/sh
#allow connection only from trusted named servers
ME="1.2.3.4"       	 # MY ip
NS1="10.20.30.41"        # IP of the primary name server
NS2="10.20.30.42"        # IP of the secondary name server
NS3="10.20.30.43"        # IP of the trietary name server
SRV="domain"
/sbin/ipfwadm -I -f
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P udp -S $NS1 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P tcp -S $NS1 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P udp -S $NS2 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P tcp -S $NS2 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P udp -S $NS3 $SRV
/sbin/ipfwadm -I -a accept -D ${ME} $SRV -W eth0 -P tcp -S $NS3 $SRV
/sbin/ipfwadm -I -a reject -D ${ME} $SRV -W eth0 -P tcp -o -v -x -e
/sbin/ipfwadm -I -a reject -D ${ME} $SRV -W eth0 -P udp -o -v -x -e


And while we are speaking about named. Here is an example
as someone from "Catholic liberal arts institution" (as per their web
page) connecting to my box. I assume that person was scanning 
whole subnet searching for vulnerable versions of named.

Jun 20 03:12:52 foo kernel: IP acct in eth0 TCP 206.244.45.248:2666 a.b.c.d:53 L=40 S=0x00 I=1795 F=0x0000 T=233
Jun 20 03:12:52 foo named[292]: accept: Connection reset by peer

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

ПОДПИШИСЬ НА ЖУРНАЛ Linux Format 2012! Журнал "Linux Format" (Линукс Формат)- Единственный в России и странах СНГ журнал на русском языке, посвящённый Linux и свободному ПО. Журнал для IT-директоров, IT-менеджеров, программистов, системных администраторов, учителей школ и преподавателей ВУЗов и всех пользователей ПК. В каждом выпуске: Новости индустрии OpenSource, обзоры новинок свободного ПО, обучающие и методические статьи. Каждый, кто оформит подписку, получает бонусы и подарки- объёмные наклейки на системный блок, диск с архивом номеров за 2005-2011 г.г. и ежемесячно электронную версию журнала в pdf-формате. Оформить подписку на год