On Sun, 31 Dec 2000, Charles Galpin wrote:
> Hi Mikkel
>
> On Sun, 31 Dec 2000, Mikkel L. Ellertson wrote:
> > What does your firewall rules for port 53 look like,
>
> Ok, this is (effectively) what my firewall does (i cut out the chaff)
>
> $IPCHAINS -I input 1 -i $LOCALIF -y -p TCP --destination-port 53 -j ACCEPT
> $IPCHAINS -I input 1 -i $LOCALIF -p UDP --destination-port 53 -j ACCEPT
> $IPMASQADM portfw -a -P tcp -L $LOCALIP 53 -R 192.168.2.2 5553
> $IPMASQADM portfw -a -P udp -L $LOCALIP 53 -R 192.168.2.2 5553
>
>
Ok - I think I know what is happening. When you send out a request, the
return comes back on port 53, but your firewall forwards it to port 5553
on 192.168.2.2. But named is expecting the reply on port 53. What I
would try is to comment out the "query-source address * port 53;" line
again, and add some more rules to your firewall. Here is my section:
# DNS server (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
$IPADDR is the IP for the firewall connection to the internet.
$UNPRIVPORTS is "1024:65535"
When you had it running on the firewall, I assume you had the
port 53 forwarding rules turned off, so named could see the responce on
port 53.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list