Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)

To: debian-firewall@lists.debian.org
Subject: Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
From: Bulent Murtezaoglu <bm@acm.org>
Date: Thu, 7 Jun 2001 14:47:07 -0400 (EDT)
Message-id: <15135.52267.276141.777695@nkapi.internal>
In-reply-to: <20010607112505.F17152@lion.kingsley.co.za>
References: <004001c0ee9e$fbf11c60$0201a8c0@echostar.ca> <003201c0ef26$4dac3120$960669d5@oak> <20010607112505.F17152@lion.kingsley.co.za>

>>>>> "MW" == Michael Wood <wood@kingsley.co.za> writes:
[...]
    MW> AFAIK, TCP is used to zone transfers and also other large
    MW> queries.  Not sure what "large" is defined as, though.

I think the RFC says the limit is 512 bytes for the UDP payload. 

    MW> i.e. by blocking TCP port 53, most things will work, but
    MW> there's a chance that some large queries will not work.

AFAIK, you will get an answer and it might be what you want, but it
will be truncated.  An interesting question is what happens when a
resolver sitting behind a broken firewall tries a TCP query upon
receiving a truncated UDP answer.  One unpleasant consequence
might be the app blocking on the resolver call for a long time.

cheers,

BM

Reply to:

References:
- Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
  - From: "Ehren Wilson" <ewilson@echostar.ca>
- Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
  - From: "Robert Davies" <Rob_Davies@NTLWorld.Com>
- Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
  - From: Michael Wood <wood@kingsley.co.za>

Prev by Date: Problems filtering UDP with Netfilter
Next by Date: Re: Specifying multiple services to Netfilter
Previous by thread: Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
Next by thread: Re: Problems with IP tables firewall (DNS and what the heck is this WinME box doing)
Index(es):
- Date
- Thread