[wplug] Nameserver firewall rules
Dave Neuer
mr_fred_smoothie at yahoo.com
Tue Dec 17 15:06:17 EST 2002
Well, for one thing you need to have all of the
various neccessary ICMP packets allowed through
(source-quelch, destination-unreachable,
administratively-prohibited, yada yada -- there should
be a list of them somewhere online). These are
neccessary to make routing work correctly.
But most imporantly, it looks like you're not
forwarding any packets at all through your firewall:
your FORWARD policy is ACCEPT, but you're DROPPING all
packets from anywhere to anywhere; not a very
effective firewall unless you're REALLY paranoid, in
which case you are at least also VERY safe ;-)
Dave
--- Henry Umansky <hmust2+ at pitt.edu> wrote:
> Hello,
>
> I am trying to set up a primary DNS server and I
> can't seem to get it
> working through my firewall. Here is my rules for
> iptables:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere
> udp dpt:domain
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere
> udp spt:domain
> DROP all -- anywhere anywhere
>
> What other port do I need to open up. I know I need
> to open tcp 53, but I
> thought that is only used for zone transfer to slave
> nameservers.
>
> Henry Umansky
> hmust2 [at] pitt [dot] edu
> http://www.pitt.edu/~hmust2
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
More information about the wplug
mailing list