From 7f74c1be33abd8013a9164c0b62e0b90c6dd1428 Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@redhat.com>
Date: Thu, 9 Aug 2001 05:21:22 +0000
Subject: only allow dest port 1025-65535 for DNS replies (#40833, #44038)

---
 sysconfig/network-scripts/ifup-post | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sysconfig/network-scripts/ifup-post')

diff --git a/sysconfig/network-scripts/ifup-post b/sysconfig/network-scripts/ifup-post
index 5809220d..10a6fa16 100755
--- a/sysconfig/network-scripts/ifup-post
+++ b/sysconfig/network-scripts/ifup-post
@@ -91,7 +91,7 @@ if [ "$FIREWALL_MODS" != "no" -a -n "$FWACTIVE" ]; then
 	if [ -n "$ns" ]; then
 		for nameserver in $ns ; do
 			if ! ipchains -L input -n | grep -q $nameserver ; then
-				ipchains -I input -s $nameserver/32 53 -p udp -j ACCEPT
+				ipchains -I input -s $nameserver/32 53 -d 0/0 1025:65535 -p udp -j ACCEPT
 				logger $"punching nameserver $nameserver through the firewall"
 			fi
 		done
-- 
cgit