IPTables / Avoiding UDP Vuln

http://cgi.nessus.org/plugins/dump.php3?id=11580

Anyone have any suggestions for IPTables rules that can be used to avoid this type of firewall vulnerability? Also anyone know of a simple method of testing it?

I can see methods of protecting yourself if you are not running an authoritative DNS server… however if you are… it seems a bit more tricky.

4 Replies

@vitrum:

http://cgi.nessus.org/plugins/dump.php3?id=11580

Anyone have any suggestions for IPTables rules that can be used to avoid this type of firewall vulnerability? Also anyone know of a simple method of testing it?

I can see methods of protecting yourself if you are not running an authoritative DNS server… however if you are… it seems a bit more tricky.
This seems to be a vulnerabilty in Kerio Personal Firewall as per the referenced BugTraq ID. As long as you don't open a hole for everything with udp src port 53 you should be fine.

Well if your running a DNS server you have to have UDP 53 open… :(

And I don't know is this a vuln that only affects Kerio? I read that too, but I also read a few places that lead me to believe this affects IPTables as well…

I read a recommendation for the following rules… however I'm not sure how to sucessfully test it for certain…

/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --sport 53 -j DROP

You can test for this from any other box using a tools like nmap. You can get this at insecure.org.

Jacques

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct