aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBill Nottingham <notting@redhat.com>2001-08-09 05:21:22 +0000
committerBill Nottingham <notting@redhat.com>2001-08-09 05:21:22 +0000
commit7f74c1be33abd8013a9164c0b62e0b90c6dd1428 (patch)
tree93310ad21980c436b76e15a7448eff6fa09d3799
parent40e74a9fc0cd709ad18aca6bf5196da093fada6b (diff)
downloadinitscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar
initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar.gz
initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar.bz2
initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar.xz
initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.zip
only allow dest port 1025-65535 for DNS replies (#40833, #44038)
-rwxr-xr-xsysconfig/network-scripts/ifup6
-rwxr-xr-xsysconfig/network-scripts/ifup-post2
2 files changed, 4 insertions, 4 deletions
diff --git a/sysconfig/network-scripts/ifup b/sysconfig/network-scripts/ifup
index 093b093c..db3c6205 100755
--- a/sysconfig/network-scripts/ifup
+++ b/sysconfig/network-scripts/ifup
@@ -169,7 +169,7 @@ if [ -n "${DYNCONFIG}" ]; then
# what DNS server they're using until they are done.
FWHACK=
if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then
- ipchains -I input -s 0/0 53 -p udp -j ACCEPT
+ ipchains -I input -s 0/0 53 -d 0/0 1025:65535 -p udp -j ACCEPT
FWHACK=1
fi
@@ -179,11 +179,11 @@ if [ -n "${DYNCONFIG}" ]; then
echo $" done."
else
echo $" failed."
- [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT
+ [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -d 0/0 1025:65535 -p udp -j ACCEPT
exit 1
fi
- [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT
+ [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -d 0/0 1025:65535 -p udp -j ACCEPT
else
if [ -z "${IPADDR}" ]; then
# enable device without IP, useful for e.g. PPPoE
diff --git a/sysconfig/network-scripts/ifup-post b/sysconfig/network-scripts/ifup-post
index 5809220d..10a6fa16 100755
--- a/sysconfig/network-scripts/ifup-post
+++ b/sysconfig/network-scripts/ifup-post
@@ -91,7 +91,7 @@ if [ "$FIREWALL_MODS" != "no" -a -n "$FWACTIVE" ]; then
if [ -n "$ns" ]; then
for nameserver in $ns ; do
if ! ipchains -L input -n | grep -q $nameserver ; then
- ipchains -I input -s $nameserver/32 53 -p udp -j ACCEPT
+ ipchains -I input -s $nameserver/32 53 -d 0/0 1025:65535 -p udp -j ACCEPT
logger $"punching nameserver $nameserver through the firewall"
fi
done