[wplug] Nameserver firewall rules

[Dave Neuer]

Well, for one thing you need to have all of the
various neccessary ICMP packets allowed through
(source-quelch, destination-unreachable,
administratively-prohibited, yada yada -- there should
be a list of them somewhere online). These are
neccessary to make routing work correctly.

But most imporantly, it looks like you're not
forwarding any packets at all through your firewall:
your FORWARD policy is ACCEPT, but you're DROPPING all
packets from anywhere to anywhere; not a very
effective firewall unless you're REALLY paranoid, in
which case you are at least also VERY safe ;-)

Dave

--- Henry Umansky <hmust2+ at pitt.edu> wrote:
> Hello,
> 
> I am trying to set up a primary DNS server and I
> can't seem to get it 
> working through my firewall. Here is my rules for
> iptables:
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere   
>        udp dpt:domain
> DROP       all  --  anywhere             anywhere
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> DROP       all  --  anywhere             anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     udp  --  anywhere             anywhere   
>        udp spt:domain
> DROP       all  --  anywhere             anywhere
> 
> What other port do I need to open up.  I know I need
> to open tcp 53, but I 
> thought that is only used for zone transfer to slave
> nameservers.
> 
> Henry Umansky
> hmust2 [at] pitt [dot] edu
> http://www.pitt.edu/~hmust2
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com