Date: 2010-06-29 01:38:05 +0000 (Tue, 29 Jun 2010)
disabling entirely named-refused-udp jail with a big fat warning
--- trunk/config/jail.conf 2010-06-29 01:34:08 UTC (rev 761)
+++ trunk/config/jail.conf 2010-06-29 01:38:05 UTC (rev 762)
@@ -212,15 +212,23 @@
# in your named.conf to provide proper logging.
# This jail blocks UDP traffic for DNS requests.
+# !!! WARNING !!!
+# Since UDP is connectionless protocol, spoofing of IP and immitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# Please DO NOT USE this jail unless you know what you are doing.
+# enabled = false
+# filter = named-refused
+# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+# sendmail-whois[name=Named, dest=you@...]
+# logpath = /var/log/named/security.log
+# ignoreip = 220.127.116.11
-enabled = false
-filter = named-refused
-action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
- sendmail-whois[name=Named, dest=you@...]
-logpath = /var/log/named/security.log
-ignoreip = 18.104.22.168
# This jail blocks TCP traffic for DNS requests.
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.