Re: DNS replies not RELATED/ESTABLISHED?

To: debian-firewall@lists.debian.org
Subject: Re: DNS replies not RELATED/ESTABLISHED?
From: Blair Strang <bls@nanocorp.net.nz>
Date: Wed, 16 Mar 2005 00:45:22 +1300
Message-id: <[🔎] 4236CAD2.2030108@nanocorp.net.nz>
In-reply-to: <[🔎] 20050315001404.GA10041@localhost.localdomain>
References: <[🔎] 20050315001404.GA10041@localhost.localdomain>

martin f krafft wrote:
> I have a firewall which allows ESTABLISHED,RELATED packets on INPUT,
> and port 53/udp on OUTPUT. Now, if I query for a DNS name, the
> packet leaves the machine, but the reply is usually dropped:
>
>   [INPUT]: IN=ppp0 OUT= MAC= SRC=217.232.161.91 DST=62.159.154.42
>   LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53
>   DPT=16468 LEN=48
>
> Here are the relevant rules:
>
>   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>   -A INPUT -m conntrack --ctstate INVALID -j DROP
>
>   -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT]: "
>
>   -P INPUT DROP
>
> I always have to add specific udp sport rules for all nameservers,
> which is a pain, and which should not be required.
>

As a quickie I applied this subset of the INPUT rules on my workstation and
everything seemed to work as expected.

I am guessing the problem is elsewhere.  What does /proc/net/ip_conntrack say
the kernel is expecting?

Cheers,

    Blair

--
How much SPAM would CAN-SPAM can if CAN-SPAM could can SPAM?

Reply to:

Follow-Ups:
- Re: DNS replies not RELATED/ESTABLISHED?
  - From: martin f krafft <madduck@debian.org>

References:
- DNS replies not RELATED/ESTABLISHED?
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: DNS replies not RELATED/ESTABLISHED?
Next by Date: Re: DNS replies not RELATED/ESTABLISHED?
Previous by thread: Re: DNS replies not RELATED/ESTABLISHED?
Next by thread: Re: DNS replies not RELATED/ESTABLISHED?
Index(es):
- Date
- Thread