[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: DNS troubles
From: Simon Edwards <simon () simonzone ! com>
Date: 2001-09-28 15:47:02
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
> Alright everyone I have officially became insane.
...just wait until you see the solution.
> I am writing a very simple firewall script on a DNS (BIND 8) box. My
> rules thus far are as follows:
> ALL default chains are drop
> Here are my DNS rules:
> iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j
> ACCEPT
> iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j
> ACCEPT
On the input chain you want --sport 53 and not --dport. And contrary to what
someone else said on this list, you do need the TCP rules for DNS. When DNS
can't fit the reply in a UDP packet is resorts to TCP. (IIRC, AOL is the only
place that has need for such large replies).
cheers,
- --
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAju0m3wACgkQuIuDmTrvhSYhLwCgrNaVEpTHmVuhuGzDeOfWsVDK
fNsAmwdCujrmIqRiIAKXK3Oq00ciHIEj
=GMbd
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic