Paul Elliott wrote:
Ok, I have a dialup connection to the internet. I want to let hosts on my internal net use my ISP's domain name service.
For 9.1 I had:
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
But in 9.2 the startup process complained about this line so I commented it out in SuSEfirewall2.
Only the special keyword "DNS" is no longer supported. Nevertheless I would recommend to avoid FW_ALLOW_INCOMING_HIGHPORTS_UDP if possible.
Now of course, attempts by hosts on my internal net to use dns fail and lines like this appear in /var/log/messages:
Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36 Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10
192.168.86.4 is a host on my internal net and 199.170.88.10 and 199.170.88.29 are my ISP's dns servers!
I believe the log entries are complaining about a UDP packet that was trying to go from my ISP's domain name service to my a host on my internal net.
No, read the message carefully: IN=eth0 OUT=modem0. It's got nothing to do with FW_ALLOW_INCOMING_HIGHPORTS_UDP as it happens in the forward chain in outgoing direction. You need to configure masquerading to make this work. As others already suggested it's generally a good idea to set up bind as caching only nameserver instead. See MODIFY_NAMED_CONF_DYNAMICALLY in /etc/sysconfig/network/config if your nameservers are assigned dynamically by your provider. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/