[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: shorewall blocks apt-get

Benedict Verheyen said:
> Hi,
> i configured shorewall on my server to share the internet connection. My
> apt.conf file contains a line to configure the use of the proxy of my
> isp:
> Acquire::http:Proxy "http://proxy.isp.be:8080";;

most firewalls with a default deny block outbound DNS requests because
they by default travel over UDP not TCP so the firewall can't keep
the state.


1) run an internal DNS behind the firewall, and direct all queries at
that system, punch a hole through the firewall to allow that system
through. I do this on my network, I have a bridged freebsd box
which has a default ipfw policy of deny, then I told BIND to only
use UDP port 53 for all actions(makes it firewall-friendly), and
opened a hole in the firewall to allow requests to go to UDP/53
on my nameserver. You shouldn't need to allow incoming requests
just outgoing, since my server is authortative for about 45 domains
I need to allow incoming as well.
2) Try running all of your DNS requests over TCP, using the
'host' command you can do this, I am not aware of any way to get
the system to default to this.
3) point to your proxy using it's IP address not the domain name
so it doesn't have to resolve anything. Many proxy servers handle
all DNS resolution as well, so if your using a proxy your system
doesn't need to know what debian.org or whatever resolves to.

#3 is the best interim solution, if you run a network, the best
long term solution is #1, that way you have both DNS and a DNS
cache on your internal network.


Reply to: