[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: DNS troubles
From:       Simon Edwards <simon () simonzone ! com>
Date:       2001-09-28 15:47:02
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

> Alright everyone I have officially became insane.

...just wait until you see the solution.

> I am writing a very simple firewall script on a DNS (BIND 8) box.   My
> rules thus far are as follows:
> ALL default chains are drop
> Here are my DNS rules:
> iptables -A INPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED  -j
> ACCEPT
> iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j
> ACCEPT

On the input chain you want --sport 53 and not --dport. And contrary to what 
someone else said on this list, you do need the TCP rules for DNS. When DNS 
can't fit the reply in a UDP packet is resorts to TCP. (IIRC, AOL is the only 
place that has need for such large replies).

cheers,

- -- 
Simon Edwards
simon@simonzone.com
http://www.simonzone.com/
Nijmegen, The Netherlands       "ZooTV? You made the right choice."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAju0m3wACgkQuIuDmTrvhSYhLwCgrNaVEpTHmVuhuGzDeOfWsVDK
fNsAmwdCujrmIqRiIAKXK3Oq00ciHIEj
=GMbd
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]