On Mon, Mar 18, 2002, Winston Gutkowski wrote:
> Are your NICs PCI-based? If so, I believe they all behave as a single unit
> (ie. any card can answer to any address defined in ifconfig), so attempting
> to block by interface doesn't have any effect. I've had the same trouble
> with ipchains/iptables.
Its got nothing to do with the PCI bus interface on the card.
It'll be to do with the implemenation of determining what is
"local addressing" in Linux.
> If you are really worried about the security of having port 53 open, I
> suggest you move your DNS onto a dedicated server in your DMZ (ie. on your
> perimeter network, if you have one, otherwise outside your firewall/proxy,
> connected directly to the internet). DNS will not work if you do not allow
> udp and tcp packets to/from port 53. If your server is only a caching server
> for internal queries, you can block tcp connections (SYN packets) coming in
> to port 53, which prevents some nasties.
In fact, this is what you should do.
Adrian
Received on Mon Mar 18 2002 - 18:58:15 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:59 MST