"Eugene van Zyl" <[EMAIL PROTECTED]> writes: > What's wrong with the following ruleset that I can't do any DNS > lookups from the firewallhost ? > > $IPCHAINS -P input ACCEPT > $IPCHAINS -P forward ACCEPT > $IPCHAINS -P output ACCEPT
Maybe this is just for testing purposes, but the "best practices" say to DENY by policy and then allow the stuff you want. > $IPCHAINS -A input -s $Any -d $localnet -j DENY really with your policy you have setup above, this is the only rule that means anything. All the others are just confirming policy. I highly recommend _Linux Firewalls_ by Robert L. Zeigler (New Riders press). This book has saved my kiester several times. Here's his recommendation for dns client to server based on a DENY everything policy. ipchains -A output -i $ext_interface -p udp -s $your_ip_address $unprivaleged_ports -d $nameserver_ip 53 -j ACCEPT ipchains -A input -i $external_interface -p udp -s $nameserver_ip 53 -d $your_ip_address $unprivaleged_ports -j ACCEPT -- (__) Doug Alcorn <[EMAIL PROTECTED]> http://www.lathi.net AIM:lathinet oo / PGP 02B3 1E26 BCF2 9AAF 93F1 61D7 450C B264 3E63 D543 |_/ If you're a capitalist and you have the best goods and they're free, you don't have to proselytize, you just have to wait.
