Bug 40833 - ifup-post: "punching nameserver" code needs improvement
Summary: ifup-post: "punching nameserver" code needs improvement
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: initscripts   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-05-16 05:45 UTC by Aleksey Nogin
Modified: 2014-03-17 02:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-05-16 05:45:23 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Aleksey Nogin 2001-05-16 05:45:15 UTC
There are several minor problems with the code in ifup-post for "punching
nameserver holes" in the ipchains firewall.

1) DNS requests always come from non-priviledged ports. If we punch a hole
for ports 53 -> 1025:65535 instead of 53 -> any, we'll prevent potential
attackers from being able to send (not receive, though) packets to our
priviledged UDP ports just by faking the right IP and port in their UDP
packets.

2) The "nameserver 0.0.0.0" line deserves special treatment.

3) The code that checks if the nameserver is already mentioned in the
ipchains rules is not too accurate. It may be a better idea to simply do
ipchains -D right before ipchains -I. This way, if the rule is not already
there, -D will fail and -I will insert the rule; and if it is already
there, then -D/-I combination would make sure it's active (and not shadowed
by a rule that comes before it) by bringing it up front in the input chain.

4) It may be easier to write good scripts if instead of inserting separate
rules into the input chain, the scripts would insert a single rule (that
only looks at ports, but not the source IPs) that jumps to a separate chain
for DNS packets and than have all the other scripts modify that chain. The
advantage here is that we can always allow ourselves to flush that chain
before processing resolv.conf.

Comment 1 Bill Nottingham 2001-08-09 05:14:42 UTC
dest port will be changed in 6.13-1; thanks!


Note You need to log in before you can comment on or make changes to this bug.