diff options
author | Bill Nottingham <notting@redhat.com> | 2001-08-09 05:21:22 +0000 |
---|---|---|
committer | Bill Nottingham <notting@redhat.com> | 2001-08-09 05:21:22 +0000 |
commit | 7f74c1be33abd8013a9164c0b62e0b90c6dd1428 (patch) | |
tree | 93310ad21980c436b76e15a7448eff6fa09d3799 | |
parent | 40e74a9fc0cd709ad18aca6bf5196da093fada6b (diff) | |
download | initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar.gz initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar.bz2 initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.tar.xz initscripts-7f74c1be33abd8013a9164c0b62e0b90c6dd1428.zip |
only allow dest port 1025-65535 for DNS replies (#40833, #44038)
-rwxr-xr-x | sysconfig/network-scripts/ifup | 6 | ||||
-rwxr-xr-x | sysconfig/network-scripts/ifup-post | 2 |
2 files changed, 4 insertions, 4 deletions
diff --git a/sysconfig/network-scripts/ifup b/sysconfig/network-scripts/ifup index 093b093c..db3c6205 100755 --- a/sysconfig/network-scripts/ifup +++ b/sysconfig/network-scripts/ifup @@ -169,7 +169,7 @@ if [ -n "${DYNCONFIG}" ]; then # what DNS server they're using until they are done. FWHACK= if [ -n "$FWACTIVE" -a "$FIREWALL_MODS" != "no" ]; then - ipchains -I input -s 0/0 53 -p udp -j ACCEPT + ipchains -I input -s 0/0 53 -d 0/0 1025:65535 -p udp -j ACCEPT FWHACK=1 fi @@ -179,11 +179,11 @@ if [ -n "${DYNCONFIG}" ]; then echo $" done." else echo $" failed." - [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT + [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -d 0/0 1025:65535 -p udp -j ACCEPT exit 1 fi - [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -p udp -j ACCEPT + [ -n "$FWHACK" ] && ipchains -D input -s 0/0 53 -d 0/0 1025:65535 -p udp -j ACCEPT else if [ -z "${IPADDR}" ]; then # enable device without IP, useful for e.g. PPPoE diff --git a/sysconfig/network-scripts/ifup-post b/sysconfig/network-scripts/ifup-post index 5809220d..10a6fa16 100755 --- a/sysconfig/network-scripts/ifup-post +++ b/sysconfig/network-scripts/ifup-post @@ -91,7 +91,7 @@ if [ "$FIREWALL_MODS" != "no" -a -n "$FWACTIVE" ]; then if [ -n "$ns" ]; then for nameserver in $ns ; do if ! ipchains -L input -n | grep -q $nameserver ; then - ipchains -I input -s $nameserver/32 53 -p udp -j ACCEPT + ipchains -I input -s $nameserver/32 53 -d 0/0 1025:65535 -p udp -j ACCEPT logger $"punching nameserver $nameserver through the firewall" fi done |