Re: DNS replies not RELATED/ESTABLISHED?
martin f krafft wrote:
> I have a firewall which allows ESTABLISHED,RELATED packets on INPUT,
> and port 53/udp on OUTPUT. Now, if I query for a DNS name, the
> packet leaves the machine, but the reply is usually dropped:
> [INPUT]: IN=ppp0 OUT= MAC= SRC=22.214.171.124 DST=126.96.36.199
> LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53
> DPT=16468 LEN=48
> Here are the relevant rules:
> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -m conntrack --ctstate INVALID -j DROP
> -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT]: "
> -P INPUT DROP
> I always have to add specific udp sport rules for all nameservers,
> which is a pain, and which should not be required.
As a quickie I applied this subset of the INPUT rules on my workstation and
everything seemed to work as expected.
I am guessing the problem is elsewhere. What does /proc/net/ip_conntrack say
the kernel is expecting?
How much SPAM would CAN-SPAM can if CAN-SPAM could can SPAM?