Installing and Administering PPP
110 Chapter 5
Security Techniques
Writing a Stanza - A Complex UDP Example
a) udp/srcaddr=192.168.199.11/srcport=domain/send/dstport=domain
udp/dstaddr=192.168.199.11/dstport=domain/recv/srcport=domain
Alternatively, group (a) can be combined and simplified into a single rule
similar to:
2) udp/192.168.199.11/dstport=domain/srcport=domain
Both the outbound request and the inbound response match this
template and no packets to UDP ports other than domain (53) are
permitted by the rule.
Domain Name Requests from Other Domain Name
Servers.
In general, domain name servers on the Internet also want to
query your domain name server to obtain information. The packet
exchange is similar to the outbound request but reversed in order:
dns.domain -> any.domain # the inbound domain request
dns.domain <- any.domain # the outbound response to the request
This means that both the individual rules in example (a) and the
combined rule in example (2), which were created to handle requests
from outside hosts, are still functionally correct.
Step 2 - Rules for Domain Name Requests from
Applications
There is a limitation associated with rules (a) and (2) concerning domain
name queries. It arises because not all queries from the Internet will
come from a domain name server. Some will come from applications,
such as ‘nslookup’ or ‘host’ that use an unprivileged port (a port in the
range of 1024-65535).
The packet exchange for such an inbound domain query resembles the
following, where ‘unpriv’ is any port from 1024-65535.
dns.domain -> any.unpriv # the inbound domain request
dns.domain <- any.unpriv # the outbound response to the request
Because the query comes from an unprivileged port you need to add two
additional rules to example (a) to cope with the new packets. You now
need four stanzas to deal with domain queries.
(b) udp/dstaddr=192.168.199.11/dstport=domain/recv/srcport=1024-65535
udp/srcaddr=192.168.199.11/srcport=domain/send/dstport=1024-65535