Allow named-xfer's through firewalls

James A Griffin agriffin at cpcug.org
Sat May 5 16:25:39 UTC 2001


Base on your note below, I went back and looked at the log entries.

> May  4 20:21:10 minbar kernel: Packet log: input REJECT eth0 PROTO=17
> 207.7.10.2:45283 64.71.143.244:33471 L=40 S=0x00 I=45320 F=0x0000 T=1
> (#16)

The source port 45283  from ns1.pyrotechnics.com. is associated with the
sub-7 veraion 2 trojan spy port.  It is possible that ns1 has been
compromised.  Have them take a look.

For more information see
http://www.robertgraham.com/pubs/firewall-seen.html section 1.4.1

Regards,
Jim

Derek Balling wrote:
> 
> At 11:31 AM -0400 5/5/01, James A Griffin wrote:
> >What is the 16th rule in the "input" chain?  Protocol 17 is UDP, but
> >transfers use TCP.  Are you sure that you have your firewall rules set
> >properly?
> 
> Rule 16 is the catch-all "if I haven't explicitly allowed it by now,
> reject it".
> 
> My DNS-related rules are:
> 
>          ipchains -A input -i eth0 -p TCP -s 0.0.0.0/0 -d $LOCALIP 53 -j ACCEPT
>          ipchains -A input -i eth0 -p UDP -s 0.0.0.0/0 -d $LOCALIP 53 -j ACCEPT
> 
> Which I would think pretty well covers it.
> 
> I know its SOMETHING with the firewalls because if I enable the rule:
> 
>          ipchains -A input -i eth0 -s 207.7.10.2 -d $LOCALIP -j ACCEPT
> 
> it works.
> 
> D
> 
> --
> +---------------------+-----------------------------------------+
> | dredd at megacity.org  | "Conan! What is best in life?"          |
> |  Derek J. Balling   | "To crush your enemies, see them        |
> |                     |    driven before you, and to hear the   |
> |                     |    lamentation of their women!"         |
> +---------------------+-----------------------------------------+


More information about the bind-users mailing list