Mailinglist Archive: opensuse (2629 mails)
| < Previous | Next > |
[SLE] DNS and ipchains
- From: moseley@xxxxxxxx (Bill Moseley)
- Date: Fri, 26 May 2000 16:11:15 -0700
- Message-id: <3.0.3.32.20000526161115.01d100e8@mardy>
I have set up my firewall with the help of Robert Ziegler at
http://linux-firewall-tools.com/linux/firewall/index.html
I'm unclear on the setup to allow access to my DNS, probably because I
don't understand the ports used by DNS. It will be a primary master DNS
and access will be allowed to the Internet (just to lookup local host names).
I should allow all udp and tcp connections in and out of my port 53. Right?
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $MYIPADDR 53 -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $MYIPADDR 53 -j ACCEPT -l
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
--source_port 53 -j ACCEPT -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
--source_port 53 -j ACCEPT -l
Now, my DNS, I think, uses high ports for contacting other DNS servers. I
think it uses udp only So:
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
--destination-port 53 -j ACCEPT
Do I need a tcp chain too for connetions to remote port 53? (When does DNS
use tcp instead of udp?)
Will that allow zone transfers (as long as named is setup to allow them)?
Does that cover it? Is that leaving anything open? I'm unclear when to
use -d with an IP and port vs. using --destination_port.
Thanks,
Bill Moseley
mailto:moseley@xxxxxxxx
--
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
| < Previous | Next > |