diff options
Diffstat (limited to 'config/jail.conf')
-rw-r--r-- | config/jail.conf | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/config/jail.conf b/config/jail.conf index 75c53b76..7501e2f5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -212,14 +212,22 @@ ignoreip = 168.192.0.1 # in your named.conf to provide proper logging. # This jail blocks UDP traffic for DNS requests. -[named-refused-udp] - -enabled = false -filter = named-refused -action = iptables-multiport[name=Named, port="domain,953", protocol=udp] - sendmail-whois[name=Named, dest=you@mail.com] -logpath = /var/log/named/security.log -ignoreip = 168.192.0.1 +# !!! WARNING !!! +# Since UDP is connectionless protocol, spoofing of IP and immitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# [named-refused-udp] +# +# enabled = false +# filter = named-refused +# action = iptables-multiport[name=Named, port="domain,953", protocol=udp] +# sendmail-whois[name=Named, dest=you@mail.com] +# logpath = /var/log/named/security.log +# ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. |