Ipchains - Bind - Resolution Inconsistencies
Barry Margolin
barry.margolin at level3.com
Thu Oct 2 18:05:12 UTC 2003
In article <blho20$s4j$1 at sf1.isc.org>, J Laub <laubj at lakesoft.net> wrote:
>Hello,
>
>We are are experiencing an odd problem with the use of ipchains and
>bind. When the firewall is active, several name servers are totally
>unable to resolve any names on our dns. When the firewall is stopped
>all dns is resolved with incident. Am I doing something wrong? Does
>bind use any other odd ports?
>
>This should accept from external to fw:??
>
>ipchains -A input -i eth1 -s ! 10.0.0.x 1024:65535 -d 199.86.44.xxx 53
>-p udp -j ACCEPT
>
>ipchains -A output -i eth1 -s 199.86.44.xxx 53 -d ! 10.0.0.x 1024:65535
>-p udp -j ACCEPT
I think 1024:65535 may be the problem. BIND 4 uses source port 53 when it
sends out queries. And many sites with BIND 8 or 9 have it configured to
use this source port as well, because they configured their firewalls to
only allow inbound UDP to this port.
--
Barry Margolin, barry.margolin at level3.com
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list