[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Ipchains and dns
- Subject: Re: [cobalt-security] Ipchains and dns
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 16 Apr 2003 20:00:17 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Robbert,
> # DNS Server (persistant connections)
> /sbin/ipchains -A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
>
> # allow dns - standard
> /sbin/ipchains -A input -p udp -s 0/0 -d 0/0 53 -j ACCEPT
>
> Running the above in a firewall script makes it impossible to use that dns
> server.....
You do not realy use "-d 0/0 " in your firewall, do you? It ought to be the IP
address range and netmask of your network or IP address and netmask of your
local DNS server. I assume you just obscured the real network address for
your posting of the message in public, but I rather ask anyway.
For an iptables based firewall (RaQ550) I use the following settings:
if [ "$ALLOW_ZONE_TRANSFERS" = "YES" ]; then
$IPTABLES -A INPUT -p tcp -s $REMOTENET -d $EXTERNALIP --dport 53 -j PUBLIC
$IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 53 -j PUBLIC
else
$IPTABLES -A INPUT -p udp -s $REMOTENET -d $EXTERNALIP --dport 53 -j PUBLIC
fi
fi
For ipchains I use this chain instead:
$IPCHAINS -A input -p tcp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
$IPCHAINS -A input -p udp -s $REMOTENET -d $LOCALNET 53 -j ACCEPT
So far I've had no issues on boxes with that setup and zone transfers seem to
work (if enabled in the GUI for the DNS).
--
With best regards,
Michael Stauber