Bill Moseley wrote:
I have set up my firewall with the help of Robert Ziegler at http://linux-firewall-tools.com/linux/firewall/index.html
I'm unclear on the setup to allow access to my DNS, probably because I don't understand the ports used by DNS. It will be a primary master DNS and access will be allowed to the Internet (just to lookup local host names).
I should allow all udp and tcp connections in and out of my port 53. Right?
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $MYIPADDR 53 -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -d $MYIPADDR 53 -j ACCEPT -l
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ --source_port 53 -j ACCEPT -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ --source_port 53 -j ACCEPT -l
Now, my DNS, I think, uses high ports for contacting other DNS servers. I think it uses udp only So:
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ --destination-port 53 -j ACCEPT
Do I need a tcp chain too for connetions to remote port 53? (When does DNS use tcp instead of udp?)
Hmmm. Have you tested this out yet? Assuming you block everything else, you have no way to contact other DNS servers. As far as I can tell, the four lines above all simply allow access to your port 53. The single line above will allow you to send requests to external computers, but there is no corresponding rule on the input chains, so all inbound packets from foreign port 53 will be blocked. Of course, I can't see the rest of your firewall rules, so the above may work, but from what I can see, you need to add a line something along the lines of: ipchains -A output -i $EXTERNAL_INTERFACE -p udp --source-port 53 -j ACCEPT
Will that allow zone transfers (as long as named is setup to allow them)?
Does that cover it? Is that leaving anything open? I'm unclear when to use -d with an IP and port vs. using --destination_port.
I'm not 100% on this, but I think that the --destination_port option is just
'shorthand' for saying:
-d 0.0.0.0/0