are you accounting for both udp and tcp port 53? If you aren't getting anything in your logs, try adding a log rule to help you diagnose before the packet defaults to the policy (drop?)
iptables -A .... \ -m limit --limit-burst 10 --limit 10/m \ -j LOG --log-level notice --log-prefix "DROPPED_OFF_END_OF_TABLE" then you can see the nature of the packet that was lost. // George On Wed, Oct 01, 2003 at 02:33:12PM -0300, Martin Ferrari - Decidir IT wrote: >Hi, I don't know what's happening, but I discovered that my firewall is >currently rejecting with port unreachable about 60% of the DNS queries I >receive, but this is not happening with the other kind of traffic I manage >(http and smtp). > >I use connection tracking and ip_conntrack_max is set to 32k. Dmesg doesn't >report anything! > >Please, ANY help would be greatly welcomed! > -- GEORGE GEORGALIS, System Admin/Architect cell: 646-331-2027 <IXOYE>< Security Services, Web, Mail, mailto:[EMAIL PROTECTED] Multimedia, DB, DNS and Metrics. http://www.galis.org/george
