Hi, I have a bunch of rejects in my logs like this, and wanted to make sure my domain rules were correct: [24280.792629] Shorewall:ext2fw:REJECT:IN=br0 OUTMAC=14:da:e9:97:ab:71:00:21:a0:75:e3:12:08:00 SRC=118.97.104.210 DST=68.XXX.YYY.44 LEN=75 TOS=0x00 PREC=0x00 TTL=114 ID=32855 PROTO=UDP SPT=179 DPT=53 LEN=55 I have the following rules for DNS for the 68.XXX.YYY.44 ($FW) server: ACCEPT ext $FW tcp domain 53 ACCEPT ext $FW tcp domain 1024: ACCEPT ext $FW udp domain 1024: Is that correct? I don''t believe there should be requests arriving on UDP ports below 1024, correct? Any ideas for the correct domain entries would be greatly appreciated. Thanks, Alex ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
Hello Alex, I prefer to use rules like DNS(ACCEPT) ext $FW The built in macros, mostly, insure that you get all the requisite ports opened to do what you need. Cheers, Nathan On 10/11/2011 06:25 AM, Alex wrote:> Hi, > > I have a bunch of rejects in my logs like this, and wanted to make > sure my domain rules were correct: > > [24280.792629] Shorewall:ext2fw:REJECT:IN=br0 OUT> MAC=14:da:e9:97:ab:71:00:21:a0:75:e3:12:08:00 SRC=118.97.104.210 > DST=68.XXX.YYY.44 LEN=75 TOS=0x00 PREC=0x00 TTL=114 ID=32855 PROTO=UDP > SPT=179 DPT=53 LEN=55 > > I have the following rules for DNS for the 68.XXX.YYY.44 ($FW) server: > > ACCEPT ext $FW tcp domain 53 > ACCEPT ext $FW tcp domain 1024: > ACCEPT ext $FW udp domain 1024: > > Is that correct? I don''t believe there should be requests arriving on > UDP ports below 1024, correct? > > Any ideas for the correct domain entries would be greatly appreciated. > > Thanks, > Alex > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
Hi,> I prefer to use rules like > DNS(ACCEPT) ext $FW > > The built in macros, mostly, insure that you get all the requisite ports > opened to do what you need.I should have thought of that. Great idea. Thanks, Alex ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
Hi,>> I prefer to use rules like >> DNS(ACCEPT) ext $FW >> >> The built in macros, mostly, insure that you get all the requisite ports >> opened to do what you need.Finally had a minute to test this, and realized that $FW evaluates to 0/0. Is that correct? If so, that''s allowing any server on the Internet to query any box on my network for DNS, correct? # iptables -nL|grep 53 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 /* Late DNS Replies */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 Where do the "Late DNS Replies" come from? I don''t see that reflected in the DNS macro: ############################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT(S) PORT(S) LIMIT GROUP PARAM - - udp 53 PARAM - - tcp 53 I know there is a very specific set of rules for DNS that can be used to minimize attack. It''s outlined in the OReilly Firewall book, but it''s an arduous process trying to create every specific rule. Any help would be greatly appreciated. Thanks, Alex ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct
On 14/10/2011 04:11, Alex wrote:> Where do the "Late DNS Replies" come from? I don''t see that reflected > in the DNS macro: >Do a grep in the /usr/share/shorewall dir. I don''t have the stuff in front of me, but I think you will find they come from the standard REJECT policy rule? I''m not sure what "late DNS replies" are matching, but certainly something which can happen with UDP is that you can stop listening and "close" the port before a reply arrives. I think only the operating system can know this (not iptables?), but the OS will usually generate something like an ICMP port unreachable response in return. Such a situation can occur normally if you have a DNS responder like DNSMasq which queries all dns servers simultaneously and keeps the fastest response, or more worryingly if someone is trying to poison you by spoofing replies (you get the reply + the spoof - dns usually keeps the one returned first...). I have tried to lock down some of these in my own rule set Good luck Ed W ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct