Re: DNS replies not RELATED/ESTABLISHED?
- To: debian firewall list <firstname.lastname@example.org>
- Subject: Re: DNS replies not RELATED/ESTABLISHED?
- From: Tommi Lorry Jensen <email@example.com>
- Date: Tue, 15 Mar 2005 12:51:46 +0100
- Message-id: <4236CC52.firstname.lastname@example.org>
- In-reply-to: <20050315001404.GA10041@localhost.localdomain>
- References: <20050315001404.GA10041@localhost.localdomain>
is it running a recursive dns server, or are you using $ISP's designated
I have a firewall which allows ESTABLISHED,RELATED packets on INPUT,
and port 53/udp on OUTPUT. Now, if I query for a DNS name, the
packet leaves the machine, but the reply is usually dropped:
I'm not entirely certain, but I believe I've read that ctstate only
applies to NAT - I could be wrong though (and the documentation at
location listed below doesn't make it completely clear).
Anyhow - it looks like it `falls' through the first two rules, and gets
pummeled by your LIMIT/LOG rule, and then a DROP into /dev/null, so -
atleast something hints that connection tracking on udp has a few issues
(not entirely unexpected on my behalf)
[INPUT]: IN=ppp0 OUT= MAC= SRC=126.96.36.199 DST=188.8.131.52
LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53
Here are the relevant rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
Do you do SNAT/Masquerade outbound? (perhaps unlikely, but it's
possible), if so, you might need to use -j SNAT|DNAT on --ctstate
that's even stranger - I've made drop policy firewalls with recursive
dnscache's with the box accepting only ssh from $LAN, and a few select
external ip's for maintenance, with -m state --state ESTABLISHED,RELATED
-j ACCEPT - without any problems.
-A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT]: "
-P INPUT DROP
I always have to add specific udp sport rules for all nameservers,
which is a pain, and which should not be required.
What am I doing wrong?
(Note that I get the same results with '-m state' instead of '-m
not much of a solution, but hopefully it raises a few questions that
might make you go "aaaah".
Programmers love Unix and C because they are powerful, and they are powerful because programmers love them.