I have a firewall which allows ESTABLISHED,RELATED packets on INPUT, and port 53/udp on OUTPUT. Now, if I query for a DNS name, the packet leaves the machine, but the reply is usually dropped: [INPUT]: IN=ppp0 OUT= MAC= SRC=188.8.131.52 DST=184.108.40.206 LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53 DPT=16468 LEN=48 Here are the relevant rules: -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT]: " -P INPUT DROP I always have to add specific udp sport rules for all nameservers, which is a pain, and which should not be required. What am I doing wrong? (Note that I get the same results with '-m state' instead of '-m ctstate'). Thanks, -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <email@example.com> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Description: Digital signature