On Tue, May 08, 2001 at 09:45:39AM +0200, Lars Hallberg wrote: > Hello again > > I have this in my fw roules to allow acces to a nameserver > inside my net (it will be moved to a DMZ later). > > iptables -A FORWARD $v -i $INTER -o $INTRA -p udp > --destination-port domain -d hygglo2.gdpc.se -j ACCEPT
I assume $INTER is your interface on the "Internet" side of the firewall, $INTRA is the interface on the internal network and hygglo2.gdpc.se is your DNS server on the internal network. > (all the used domainame is specifide in /etc/hosts so the fw > can go up before the net). > > It works as far as I can look up names from remote sites. But > zone transfere dont seam to work and the dns server crached > mysteriusly last night so something migt anoy it :-/ You need TCP port 53 for zone transfers (and also other large DNS queries AFAIK.) > Is there any more ports that needs to be open for a full > working dns server? Is ther some kind of cookbook for what > ports different services uses? > > I have got prety far by loking into /etc/services and guessing > ;-) but it don't feel all that secure :-/ Just one thing to bear in mind... If your DNS server has a remote root exploit, your firewall's not going to help one bit. Make sure your DNS server is up to date, running as an unprivileged user and possibly chrooted too. -- Michael Wood | Tel: +27 21 762 0276 | http://www.kingsley.co.za/ [EMAIL PROTECTED] | Fax: +27 21 761 9930 | Kingsley Technologies
