[lug] logger entry for punching hole for nameserver

Kevin Fenzi kevin at scrye.com
Tue Apr 24 10:01:16 MDT 2001


>>>>> "David" == David Trowbridge <jupiter at flatirons.org> writes:

David> Hi - I'm new to the list. I'd like to point out a possible
David> problem (that most probably already know about) and ask a
David> question.

David> First, iptables (in its default distribution) has a fairly
David> serious security hole. Most firewalls are configured to utilize
David> the RELATED state, but if a person can get an FTP connection,
David> they can add rules to your firewall. There's an advisory on
David> securityfocus and a netfilter patch for the kernel.

yeah, kinda nasty. Basically lets them open any ports on your
firewall. :( 

Note that you have to be running an ftp server on or inside your
firewall and have that open to the world. 

David> Second, does rh7.1 come with 2.4.2? I haven't yet had time to
David> download the images.

yeah... 2.4.2+ a zillion redhat patches. ;) 

David> Nice to find a new mailing list with interesting people, -David

we try. ;)

David> On Tue, 24 Apr 2001 charles at lunarmedia.net wrote:

>> > > I haven't seen it before. What kernel version is it? I wonder
>> if it is > maybe something new with 2.4.x iptables. A search on
>> google for > "punching nameserver" didn't get anything.  >

The "puching nameserver" seems to be something in the rh7.1 config
scripts. When you get a dns server from a dhcp server, it adds it to
your firewall. Nice touch. 

>> yeah, this was a new one one me. i am running 2.4.2, however i am
>> using ipchains rulessets rather than ones written for iptables. its
>> a brand new install of rh7.1

rh7.1 (although using a 2.4.x kernel) still uses ipchains instead of
iptables. ;(

kevin
-- 
Kevin Fenzi
MTS, tummy.com, ltd.
http://www.tummy.com/  KRUD - Kevin's Red Hat Uber Distribution



More information about the LUG mailing list