I have set up my firewall with the help of Robert Ziegler at http://linux-firewall-tools.com/linux/firewall/index.html I'm unclear on the setup to allow access to my DNS, probably because I don't understand the ports used by DNS. It will be a primary master DNS and access will be allowed to the Internet (just to lookup local host names). I should allow all udp and tcp connections in and out of my port 53. Right? ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $MYIPADDR 53 -j ACCEPT -l ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -d $MYIPADDR 53 -j ACCEPT -l ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ --source_port 53 -j ACCEPT -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ --source_port 53 -j ACCEPT -l Now, my DNS, I think, uses high ports for contacting other DNS servers. I think it uses udp only So: ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ --destination-port 53 -j ACCEPT Do I need a tcp chain too for connetions to remote port 53? (When does DNS use tcp instead of udp?) Will that allow zone transfers (as long as named is setup to allow them)? Does that cover it? Is that leaving anything open? I'm unclear when to use -d with an IP and port vs. using --destination_port. Thanks, Bill Moseley mailto:moseley@hank.org -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/