martin f krafft wrote: > I have a firewall which allows ESTABLISHED,RELATED packets on INPUT, > and port 53/udp on OUTPUT. Now, if I query for a DNS name, the > packet leaves the machine, but the reply is usually dropped: > > [INPUT]: IN=ppp0 OUT= MAC= SRC=217.232.161.91 DST=62.159.154.42 > LEN=68 TOS=0x00 PREC=0x00 TTL=58 ID=9949 PROTO=UDP SPT=53 > DPT=16468 LEN=48 > > Here are the relevant rules: > > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -m conntrack --ctstate INVALID -j DROP > > -A INPUT -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[INPUT]: " > > -P INPUT DROP > > I always have to add specific udp sport rules for all nameservers, > which is a pain, and which should not be required. >
As a quickie I applied this subset of the INPUT rules on my workstation and everything seemed to work as expected.
I am guessing the problem is elsewhere. What does /proc/net/ip_conntrack say the kernel is expecting?
Cheers,
Blair
-- How much SPAM would CAN-SPAM can if CAN-SPAM could can SPAM?
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
