[techtalk] Default Deny

Andre Pang andrep-ml at vjolnir.org
Fri Jan 28 14:58:03 EST 2000

On Fri, Jan 28, 2000 at 07:32:07AM +1300, Jamie Walker wrote:

> >         ipchains -A input -i ppp0 -p UDP -s I.S.P.NS -d $LOCALIP 53 -j ACCEPT
> >         ipchains -A input -i ppp0 -p UDP -s I.S.P.NS1 -d $LOCALIP 53 -j ACCEPT
> These two rules are both assuming that DNS requests are going out with a
> source port of 53. Quite often nowadays DNS uses non-privileged source
> ports (ie, not < 1024) so this might be what's breaking DNS. If DNS is
> broken, that probably doesn't help web or mail traffic. :-/

    those ipchains rules look like they match any source port to me - the 53
is there for the destination port only, unless i'm reading something wrong.

    you might want to specify these two extra ipchains rules as well:

ipchains -A input -i ppp0 -p TCP -s I.S.P.NS -d $LOCALIP 53 -j ACCEPT
ipchains -A input -i ppp0 -p TCP -s I.S.P.NS1 -d $LOCALIP 53 -j ACCEPT

    since dns uses both tcp and udp for communication (look at
/etc/services).  if it's not currently working, that might be why.

    is this server going to a dns for an entire domain, by the way?  if so,
you probably shouldn't restrict the source to come from I.S.P.NS(1), since
you can get a dns request from many servers throughout the world, and not
just your isp.

: Andre Pang <andrep at vjolnir.org> - Purruna Pty Ltd - ph# 0411.882299 :
:               #ozone - http://www.vjolnir.org/ozone/                :

techtalk at linuxchix.org   http://www.linuxchix.org

More information about the Techtalk mailing list