Firewall questions I promised you.
Rick Stevens
rstevens at vitalstream.com
Mon Jun 7 17:00:24 UTC 2004
Bruce McDonald wrote:
> Hello Rick
>
> On 01-Jun-04, you wrote:
>
> <snip>
>
>>>My next error is:
>>>iptables v1.2.7a: host/network `yahoo.com' not found
>>>Try `iptables -h' or 'iptables --help' for more information.
>>>
>>>I assume this means the firewall is halting packets to or from my DNS
>>>server.
>
>
>>Yup.
>
>
> Interestingly, it is only halting packets that originate on the Linux box.
> The other boxen are comunicating fine now that I have weeded out the stupid
> errors I made.
Depends on the default policy for your INPUT chain. If you're using a
a policy of DENY and don't specifically permit "--sport 53", yes, it'll
block outgoing DNS requests.
>>>I still have to check a little further into this, I do have rules that
>>>are supposed to allow the traffic. I will post them for your input once I
>>>figure that I don't see anything at all wrong with them.
>
>
>>It rather depends on how strict you want your firewall to be regarding
>>DNS. Without seeing the entire iptables setup, I can't comment on what
>>you want to do. However, somewhere near the top of your list you should
>>have something along the lines of:
>
>
>> iptables -A INPUT -p udp -port 53 -j ACCEPT
>
>
>>This would accept all UDP DNS traffic (remember, 99% of DNS traffic is
>>UDP, not TCP).
>
>
>
> I would experiment with this more now, but work is cutting into my playtime.
"The more complex the mind, the greater the need for play."
-- Mr. Spock
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- "I understand Windows 2000 has a Y2K problem." -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list