On Mon, May 06, 2002 at 01:47:54PM -0700, Vineet Kumar wrote: > This setup will work fine most of the time, but mysteriously fail when > replies to your DNS queries are long. Your resolver tries to ask udp/53, > but will need to connect to tcp/53 if the result is longer than can fit > in a single udp packet. Yes, but in my case disallowing tcp/53 is (or rather would be) another layer of security ; preventing zone transfers. I have never had any problems with long answers... > iptables -A INPUT -j ACCEPT \ > -m state --state ESTABLISHED \ > -p tcp -s $MY_NAMESERVER --sport 53 -d $MY_EXT_IP > iptables -A OUTPUT -j ACCEPT \ > -p tcp -d $MY_EXT_IP --dport 53 -d $MY_NAMESERVER > > ... but that's just me. Also, I'm already using connection tracking for > NAT anyway. Yes, i think it's much better way, but i still don't have time to make my firewall more sophisticated :) But the simple rule is to give the simpliest answers :) > good times, > Vineet ps. and i'm very unhappy because of lack of -C options in iptables (people who have any experience with ipchains know what i mean). Do you know any good ways to test your firewall? I mean do you people have some scripts to hping , or any other tools, which can be helpful? -- Michael "carstein" Melewski | "One day, he said, in a taped segment carstein@poznan.linux.org.pl | that suggested chemical interrogation, mobile: 502 545 913 | everything had gone gray." gpg: carstein.c.pl/carstein.txt | -- Corto , 'Neuromancer'
Attachment:
pgp5mpw0H9nLn.pgp
Description: PGP signature