Gabriel Lai, The system works fine with those ports closed on the LAN firewall. I just didnt want to block them if there was a reason for them to be open.
Generally, you want to keep as many ports closed as possible. Please keep in mind - opening ports on a firewall tends to be done to allow the world in. Its not done to allow traffic out. But of course I'm talking basic router/firewall equipment. The more expensive stuff requires specifically allowing traffic in either direction. Too much work as far as Im concerned. DNS seems too much of a security threat to me. It hands out information. Info that theres no need for the world to know. Same is true for the Windows file sharing ports. All this came about because Ive had to set up the qmail toaster's internal firewall by hand. At first, I opened all the ports found in the firewall.sh script. In all the times that I installed Q.T. (while I was learning it), every time I ran the firewall.sh script from the website, it killed all traffic in and out of the box. My server only has one nic, and its all just standard hardware. Dont know why the iptables set by the script prevents all traffic. I think its the script... I even close the 110 tcp pop3 port now, since I can use the 995 ssl pop3 port with my wonderful toaster. -----Original Message----- From: Gabriel Lai Yong Shern - E Technology [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 9:51 AM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] open dns ports... Yes, your dns query must be open at firewall level. If not, when your client start to do browsing, or your email server wants to send email, it will get many errors. Is a very important port at any network environment. Lynn wrote: >I should have wrote: "Is there actually a reason to open ports 53 UDP & >TCP in the (external) firewall for the DNS service? Meaning port >forwarding of a router... > >Routers tend to allow all traffic out, but I can't find any reason to >port forward DNS queries into a LAN. > >I never connect servers directly to the internet - I think that's >crazy. I always hide them behind routers running NAT. > >So the question really is, is there a reason to allow the outside world >to query my private DNS service? > > > ------------------------------------------------------------------ --- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]