[techtalk] Default Deny
Andre Pang
andrep-ml at vjolnir.org
Fri Jan 28 14:58:03 EST 2000
On Fri, Jan 28, 2000 at 07:32:07AM +1300, Jamie Walker wrote:
> > ipchains -A input -i ppp0 -p UDP -s I.S.P.NS -d $LOCALIP 53 -j ACCEPT
> > ipchains -A input -i ppp0 -p UDP -s I.S.P.NS1 -d $LOCALIP 53 -j ACCEPT
>
> These two rules are both assuming that DNS requests are going out with a
> source port of 53. Quite often nowadays DNS uses non-privileged source
> ports (ie, not < 1024) so this might be what's breaking DNS. If DNS is
> broken, that probably doesn't help web or mail traffic. :-/
those ipchains rules look like they match any source port to me - the 53
is there for the destination port only, unless i'm reading something wrong.
you might want to specify these two extra ipchains rules as well:
ipchains -A input -i ppp0 -p TCP -s I.S.P.NS -d $LOCALIP 53 -j ACCEPT
ipchains -A input -i ppp0 -p TCP -s I.S.P.NS1 -d $LOCALIP 53 -j ACCEPT
since dns uses both tcp and udp for communication (look at
/etc/services). if it's not currently working, that might be why.
is this server going to a dns for an entire domain, by the way? if so,
you probably shouldn't restrict the source to come from I.S.P.NS(1), since
you can get a dns request from many servers throughout the world, and not
just your isp.
--
: Andre Pang <andrep at vjolnir.org> - Purruna Pty Ltd - ph# 0411.882299 :
: #ozone - http://www.vjolnir.org/ozone/ :
************
techtalk at linuxchix.org http://www.linuxchix.org
More information about the Techtalk
mailing list