Allow named-xfer's through firewalls
James A Griffin
agriffin at cpcug.org
Sat May 5 16:25:39 UTC 2001
Base on your note below, I went back and looked at the log entries.
> May 4 20:21:10 minbar kernel: Packet log: input REJECT eth0 PROTO=17
> 207.7.10.2:45283 64.71.143.244:33471 L=40 S=0x00 I=45320 F=0x0000 T=1
> (#16)
The source port 45283 from ns1.pyrotechnics.com. is associated with the
sub-7 veraion 2 trojan spy port. It is possible that ns1 has been
compromised. Have them take a look.
For more information see
http://www.robertgraham.com/pubs/firewall-seen.html section 1.4.1
Regards,
Jim
Derek Balling wrote:
>
> At 11:31 AM -0400 5/5/01, James A Griffin wrote:
> >What is the 16th rule in the "input" chain? Protocol 17 is UDP, but
> >transfers use TCP. Are you sure that you have your firewall rules set
> >properly?
>
> Rule 16 is the catch-all "if I haven't explicitly allowed it by now,
> reject it".
>
> My DNS-related rules are:
>
> ipchains -A input -i eth0 -p TCP -s 0.0.0.0/0 -d $LOCALIP 53 -j ACCEPT
> ipchains -A input -i eth0 -p UDP -s 0.0.0.0/0 -d $LOCALIP 53 -j ACCEPT
>
> Which I would think pretty well covers it.
>
> I know its SOMETHING with the firewalls because if I enable the rule:
>
> ipchains -A input -i eth0 -s 207.7.10.2 -d $LOCALIP -j ACCEPT
>
> it works.
>
> D
>
> --
> +---------------------+-----------------------------------------+
> | dredd at megacity.org | "Conan! What is best in life?" |
> | Derek J. Balling | "To crush your enemies, see them |
> | | driven before you, and to hear the |
> | | lamentation of their women!" |
> +---------------------+-----------------------------------------+
More information about the bind-users
mailing list