On Wed, 21 Jul 1999, Glynn Clements wrote:
> You have to allow the DNS server to send and receive TCP and UDP
> packets on its query port. If you're using BIND-8.*, add e.g.
>
> options {
> query-source address * port 54;
> };
>
> to named.conf. For BIND-4.*, named uses port 53 for making queries.
>
> NB: you should be running a DNS server inside the firewall rather than
> allowing all hosts to perform external DNS lookups.
I'm running bind-4.9.6-11
I have the following script to set up the firewall:
--- firewall.sh ---
FW=/sbin/ipfwadm
LOCALHOST="linux.mydomain.com.mx"
IFEXTERN="aa.bb.cc.dd"
IFINTERN="192.168.0.20"
LOCALNET="192.168.0.0/255.255.0.0"
ANYWHERE="0.0.0.0/0"
UNPRIVPORTS="1024:65535"
for i in I O F
do
${FW} -$i -f
done
${FW} -I -p deny
${FW} -O -p deny
${FW} -F -p deny
${FW} -I -a deny -V $IFEXTERN -S $LOCALNET -D $ANYWHERE
${FW} -I -a deny -V $IFEXTERN -S $IFEXTERN -D $ANYWHERE
${FW} -I -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
${FW} -O -a accept -V $IFINTERN -S $ANYWHERE -D $ANYWHERE
${FW} -I -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
${FW} -O -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
${FW} -F -a accept -P icmp -S $ANYWHERE -D $ANYWHERE
${FW} -I -a accept -P tcp -S $ANYWHERE -D $LOCALHOST smtp ftp www domain ident
${FW} -I -a accept -P udp -S $ANYWHERE -D $LOCALHOST domain
${FW} -I -a accept -k -P tcp -S $ANYWHERE -D $LOCALHOST ftp-data ident
${FW} -O -a accept -P tcp -S $LOCALHOST smtp ftp ftp-data www domain ident -D $ANYWHERE
${FW} -O -a accept -P udp -S $LOCALHOST domain -D $ANYWHERE
${FW} -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS -D $ANYWHERE smtp ftp-data www
telnet gopher domain ident
${FW} -O -a accept -P tcp -S $IFEXTERN $UNPRIVPORTS -D $ANYWHERE smtp ftp ftp-data www
telnet gopher domain ident
${FW} -O -a accept -P udp -S $LOCALHOST $UNPRIVPORTS -D $ANYWHERE domain
${FW} -O -a accept -P tcp -S $LOCALNET $UNPRIVPORTS -D $ANYWHERE ftp ftp-data www
telnet gopher ident
${FW} -I -a accept -k -P tcp -S $ANYWHERE ftp www telnet gopher domain ident -D
$LOCALNET $UNPRIVPORTS
${FW} -I -a accept -k -P tcp -S $ANYWHERE ftp www telnet gopher domain ident -D
$IFEXTERN $UNPRIVPORTS
${FW} -I -a accept -P tcp -S $ANYWHERE ftp-data ident -D $LOCALNET $UNPRIVPORTS
${FW} -I -a accept -P tcp -S $ANYWHERE ftp-data ident -D $IFEXTERN $UNPRIVPORTS
${FW} -F -a accept -k -P tcp -S $ANYWHERE ftp www telnet gopher ident -D $LOCALNET
$UNPRIVPORTS
${FW} -F -a accept -P tcp -S $ANYWHERE ftp-data ident -D $LOCALNET $UNPRIVPORTS
--- firewall.sh ---
there's something wrong here?
Thanks David
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
