Re: secured server policies

To: debian-firewall@lists.debian.org
Subject: Re: secured server policies
From: daniel <daniel_ccna@yahoo.com.br>
Date: Sat, 08 Nov 2008 21:36:41 +0000
Message-id: <[🔎] 49160669.2020705@yahoo.com.br>
In-reply-to: <[🔎] 1226183323.21644.103.camel@sasa.home>
References: <5bd2109b0810231733n642d07b6m66e8e4a23041f880@mail.gmail.com> <[🔎] 490B9532.2010306@yahoo.com.br> <[🔎] 20081103133252.GA18928@mail.planetcobalt.net> <[🔎] 4915E268.7060007@yahoo.com.br> <[🔎] 1226183323.21644.103.camel@sasa.home>

SZALAY Attila wrote:
> On Sat, 2008-11-08 at 19:03 +0000, daniel wrote:
>> Ansgar Wiechers wrote:
>>> On 2008-10-31 daniel wrote:
>>>> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>>>> iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> You need TCP for fully functional DNS as well.
>> Why do I need TCP for fully functional DNS?
>> TCP must be used for zone transfers.
>> See --> http://www.freesoft.org/CIE/Topics/77.htm
> 
> No, it's not exactly true.
> 
> You need tcp in the case when the answer is too big to fit in an UDP
> packet. If this happen, the client should reconnect using tcp.
> 
> From rfc 1035:
> 
> 4.2.1. UDP usage
> 
> Messages sent using UDP user server port 53 (decimal).
> 
> Messages carried by UDP are restricted to 512 bytes (not counting the IP
> or UDP headers).  Longer messages are truncated and the TC bit is set in
> the header.
> 
Thanks for your explanation.

I will read more the RFC's. :)

Daniel.

Reply to:

References:
- Re: secured server policies
  - From: daniel <daniel_ccna@yahoo.com.br>
- Re: secured server policies
  - From: Ansgar Wiechers <lists@planetcobalt.net>
- Re: secured server policies
  - From: daniel <daniel_ccna@yahoo.com.br>
- Re: secured server policies
  - From: SZALAY Attila <sasa@pheniscidae.tvnetwork.hu>

Prev by Date: Re: secured server policies
Next by Date: Re: secured server policies
Previous by thread: Re: secured server policies
Next by thread: Re: secured server policies
Index(es):
- Date
- Thread