On Mon, 2004-09-20 at 03:44, Askar wrote: > > iptables -A INPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP > iptables -A FORWARD -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP > iptables -A OUTPUT -p TCP -s 0/0 -d 0/0 --dport 1025 -j DROP > > when I do "tail -f /var/log/messages", I found lot of below messages > > what mean by all this, can someone care to explain/clear things to me? :) > may I remove the above iptables rules? Trying to stop pop-up ads maybe? Windows grabs one of more ports between 1025-1029 and holds them open for RPC functions. The result is spammers can use them to send pop-up ads to the client. There have also been some Windows based viruses that propagate on 1025 so the previous admin may have used -s 0/0 because internal system were becoming infected and going after hosts on the Internet. What's kind of odd to me is that the logs you posted are for named and the above rules limit TCP. Named usually uses UDP for queries which leaves two possibilities: 1) You have a FORWARD rule someplace else that limits UDP/1025 2) These were queries with large answers (>512 bytes packet size), thus TCP was invoked. So its safe to remove this restriction outbound provided your internal systems are not infected. I would leave this restriction in place for inbound traffic and just let in replies statefully. HTH, Chris
