refresh_callback: zone fossilbar.ch/IN: failure for 194.208.60.10#53: timed out
Michael Kjorling
michael at kjorling.com
Tue Dec 18 15:47:48 UTC 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OK, let's analyze these two.
(1) Add a rule to the "input" chain, matching packets traversing on
eth0 with a source address not equal to 192.168.0.254, but with a
source port in the range 1024 thru 65535, and a destination address of
194.208.60.10 on port 53, on protocols other than ICMP, and accept
packets matching the rule.
(2) Add a rule to the "output" chain, matching packets traversing on
eth0 with a source address of 194.208.60.10 on port 53, and a
destination address not equal to 192.168.0.254, but with a destination
port of 1024 thru 65535, on protocols other than ICMP, and let those
packets through.
What are you trying to accomplish with these two? They seem like a
mess to me - why not just do it the simple way and allow TCP and UDP
traffic to/from port 53 on the remote name server?
Also remember that IP spoofing with UDP is extremely trivial.
Michael Kjörling
On Dec 18 2001 12:21 +0100, Marcel Malin wrote:
> There is a IPchains script running on the DNS Server. Is there something
> wrong with the script
>
> /sbin/ipchains -A input -i eth0 -s ! 192.168.0.254 1024:65535 -d
> 194.208.60.10 53 -p ! icmp -j ACCEPT
> /sbin/ipchains -A output -i eth0 -s 194.208.60.10 53 -d ! 192.168.0.254
> 1024:65535 -p ! icmp -j ACCEPT
>
> eth0 ist the external nic (IP 194.208.60.10) the internal ip is
> 192.168.0.254. It should allow tcp and udp packets....
>
>
> Cheers
>
> Marcel Malin
- --
Michael Kjörling -- Programmer/Network administrator ^..^
Internet: michael at kjorling.com -- FidoNet: 2:204/254.4 \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e
"There is something to be said about not trying to be glamorous
and popular and cool. Just be real -- and life will be real."
(Joyce Sequichie Hifler, September 13 2001, www.hifler.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html
iD8DBQE8H2UnKqN7/Ypw4z4RAhnRAKDDMsxo5SANbd8bHndmUk7EfJnhvQCff+ls
w9jp8hfHwYGgMbtw8Psv6eE=
=LWzZ
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list