The IPFW Firewall Rules for a bind DNS are Confusing me.
Martin McCormick
martin at dc.cis.okstate.edu
Fri Jul 27 10:30:36 UTC 2007
Mark Andrews writes:
> No. You need to allow the reply traffic.
>
> Traffic from outside
>
> > ${fwcmd} add pass all from any to ${ip} 53
> ${fwcmd} add pass all from ${ip} 53 to any // allow reply traffic
>
> Traffic you generate
>
> > ${fwcmd} add pass all from ${ip} to any 53
> ${fwcmd} add pass all from any 53 to ${ip} // allow reply traffic
>
> Note I would lock down the query source port and
> add it to "${ip}" -> "${ip} port" or use use keep-state and drop
> the second rule. If you use query-source port 53 you
> can get away with just the first two rules.
That makes sense. I discovered after posting my original
question that I also had failed to put the address of the new
DNS in the notify list of the master which made yet a second
problem which is totally unrelated to connectivity. I thought I
had multiple problems working in series to mess things up.
Thanks very much as always.
Martin McCormick
More information about the bind-users
mailing list