[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CNAME, iptables and qmail



On Mon, May 06, 2002 at 01:47:54PM -0700, Vineet Kumar wrote:
> This setup will work fine most of the time, but mysteriously fail when
> replies to your DNS queries are long. Your resolver tries to ask udp/53,
> but will need to connect to tcp/53 if the result is longer than can fit
> in a single udp packet.
Yes, but in my case disallowing tcp/53 is (or rather would be) another layer
of security ; preventing zone transfers. I have never had any problems with
long answers...

> iptables -A INPUT -j ACCEPT \
> 	-m state --state ESTABLISHED \
> 	-p tcp -s $MY_NAMESERVER --sport 53 -d $MY_EXT_IP
> iptables -A OUTPUT -j ACCEPT \
> 	-p tcp -d $MY_EXT_IP --dport 53 -d $MY_NAMESERVER
> 
> ... but that's just me. Also, I'm already using connection tracking for
> NAT anyway.
Yes, i think it's much better way, but i still don't have time to make my
firewall more sophisticated :)
But the simple rule is to give the simpliest answers :)

> good times,
> Vineet

ps. and i'm very unhappy because of lack of -C options in iptables (people
who have any experience with ipchains know what i mean).
Do you know any good ways to test your firewall? I mean do you people have
some scripts to hping , or any other tools, which can be helpful?


-- 
Michael "carstein" Melewski	 |	"One day, he said, in a taped segment	
carstein@poznan.linux.org.pl 	 |	 that suggested chemical interrogation,
mobile:	502 545 913		 |	 everything had gone gray."
gpg: carstein.c.pl/carstein.txt	 |	 -- Corto , 'Neuromancer'

Attachment: pgpFAd5KAkGX7.pgp
Description: PGP signature


Reply to: