[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-linux
Subject:    AW: IPChains Question (compatibility mode on kernel 2.4.x)
From:       "Michael Kluge" <michael.kluge () wundermedia ! de>
Date:       2003-05-13 14:02:40
[Download RAW message or body]

Hi!

> 
> Hi!
> You are missing the point.
> 
> ddp     37      DDP             # Datagram Delivery Protocol
> Seems you are trying to block ddp, that is a protocol that runs
> _over_ tcp or udp

Well, I don't think so! DDP is part of the AppleTalk protocol suit.
It may run over IP but not over TCP or UDP.

> Firewall can decide on the port but examining
> the port source/address of tcp and udp.
> For instance if you want to deny or accept ddp you should block/accept
> tcp/udp arriving on port 37.

No! DDP is a protocol, not a service! To block DDP at all you must do
sth. 
like this:
-A input -i eth0 -p ddp -j DENY

The problem is, that ipchains does not know much about ddp. You can't
filter ddp traffic by the used ports. Either ACCEPT all ddp traffic or
not.
Port filtering of ddp is simply not supported by ipchains.

See also (E.g. on your linux system):
/etc/services:
...
#
# Datagram Delivery Protocol services
#
rtmp            1/ddp                           # Routing Table
Maintenance Prot
ocol
nbp             2/ddp                           # Name Binding Protocol
echo            4/ddp                           # AppleTalk Echo
Protocol
zip             6/ddp                           # Zone Information
Protocol
#
...

and 

/etc/protocols:
...
ddp     37      DDP             # Datagram Delivery Protocol
...


> Byes!
> 

Regards,
Michael.

[prev in list] [next in list] [prev in thread] [next in thread]