[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall advice



* Torrin (torrin@torrin.dyndns.org) [021215 19:21]:
> Nicolas Boullis wrote:
> > * Torrin (torrin@torrin.dyndns.org):
> > > iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port
> > > domain #53
> > > iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port
> > > domain #53
> >"Hey! I'm a nice port, let me in!". 
> >
> >Oops.
> 
> You're right, I should probably change that to be the address of the DNS
> server.  I'll also add connection tracking in my iptables script.  Is
> there anything I can do in my ipchains script?

You don't need these rules at all, if you're allowing state
ESTABLISHED,RELATED packets.  The packets coming from your nameservers
(in response to your DNS requests) will be allowed via connection
tracking.  The above rules would be used in the case when you want to
allow incoming connections, which you probably don't need to accept
from your nameserver.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes."  -- E.W. Dijkstra

Attachment: pgpbU3HJPk7Ss.pgp
Description: PGP signature


Reply to: