[NTLUG:Discuss] opinions on where to run DNS server..... firewallvsmain server.
MadHat
madhat at unspecific.com
Mon Mar 6 09:53:00 CST 2000
Chris Cox wrote:
>
> Jonathan Miller wrote:
> >
> > On Wed, 1 Mar 2000, MadHat wrote:
> >
> > > I am curious why you say this? How is policing UDP any differant from
> > > TCP, it is still based on IP and port, so why is it more dificult?
> >
> > OK, you know, I don't remember either. I saw Rusty talk about this and I
> > remember there was some huge problem with DNS and it's usage of TCP and
> > and UDP, but I might be confusing this with the problems FTP has with
> > ipchains. I've looked around and there doesn't seem to any problem in only
> > allowing access from certain machines.
> >
>
> UDP is more difficult because TCP has a packet header type...with UDP
> you usually have to dig into the contents of the message to make
> reasonable/questionable determinations about the message type.
Are you saying UDP doesn't have headers on it's packets? If so, I am
almost certain you are incorrect and the ipchains facility will be able
to filter UDP packets (if designated) the same way that it does the
TCP/IP packets.
http://www.tcm.hut.fi/Studies/Tik-110.350/1997/Essays/udp.html
Is just one reference I found.
The only reason I am continuing this is because I don't want someone to
think UDP is unsecure in the idea of setting up firewall rules. UDP is
unreliable due to its method of sending and receiving packets, but it
can still be filtered using ipchains, which is what this thread started
on, I think :~). ipchains filters on source and destination IP and
port, so this shouldn't be a problem.
--
%_=split';','f; Perl ;h;st a;o;ker;@;not;.;hac;u;her;d;ju';
print map $_{$_}, split //,
'madhat at unspecific.com'
# aka Lee Heath, but don't tell anyone.
More information about the Discuss
mailing list