Allow named-xfer's through firewalls
James A Griffin
agriffin at cpcug.org
Sat May 5 15:31:52 UTC 2001
Derek Balling wrote:
>
> So I'm trying to figure out what the deal is. My secondary was unable
> to retrieve axfr's even though I'd enabled unfettered access to port
> 53 via udp or tcp.
>
> So I did some digging and found that the named-xfer requests (he runs
> 8.2.3, I run 9.1.x) were going from high-port to high-port, on
> essentially random ports.
>
> So I had to open up "all traffic" from the secondary's IP address.
> It's interesting to note that my OTHER secondary, is ALSO running
> 8.2.3 (I think), without any problem.
>
> What am I (or the secondary with issues) doing wrong, and how can it be fixed?
>
What is the 16th rule in the "input" chain? Protocol 17 is UDP, but
transfers use TCP. Are you sure that you have your firewall rules set
properly?
Jim
> D
>
> Filtered packets:
>
> May 4 20:21:10 minbar kernel: Packet log: input REJECT eth0 PROTO=17
> 207.7.10.2:45283 64.71.143.244:33471 L=40 S=0x00 I=45320 F=0x0000 T=1
> (#16)
> May 4 20:21:10 minbar kernel: Packet log: input REJECT eth0 PROTO=17
> 207.7.10.2:45283 64.71.143.244:33472 L=40 S=0x00 I=45321 F=0x0000 T=1
> (#16)
> May 4 20:21:10 minbar kernel: Packet log: input REJECT eth0 PROTO=17
> 207.7.10.2:45283 64.71.143.244:33473 L=40 S=0x00 I=45322 F=0x0000 T=1
> (#16)
>
> --
> +---------------------+-----------------------------------------+
> | dredd at megacity.org | "Conan! What is best in life?" |
> | Derek J. Balling | "To crush your enemies, see them |
> | | driven before you, and to hear the |
> | | lamentation of their women!" |
> +---------------------+-----------------------------------------+
More information about the bind-users
mailing list