Hi John-Paul, Is there any specific reason why you're using Ipchains instead of Iptables? Iptables is uses stateful inspection. I think this might be part of the reason why you are having trouble with the configuration of ipchains.
I would suggest putting an ipchains rule at the bottom of your rulebase to drop and log everything. Go tru the log and see why nothing is coming back to you. Regards LK -----Original Message----- From: john-paul delaney [mailto:[EMAIL PROTECTED]] Sent: 29 September 2002 16:54 To: [EMAIL PROTECTED] Subject: Re: 7.3 upgrade: Bind fails when ipchains enabled. I'm still having difficulty with nslookup from another machine and domain transfer even though I've opened up ports UDP 53 and TCP 53. If I turn off ipchains completely, then all works ok. Anybody know what other ports / protocols should I be looking at? I'm new to ipchains. I've just enabled the medium security option using lokkit, and added input port 53 as mentioned above. Any advice would be welcome - I'd like to avoid turning off the firewall completely! thanks /j-p. On Fri, 27 Sep 2002, Mike Burger wrote: > The outgoing port is always going to be something higher...the > destination > port is 53. > > On Fri, 27 Sep 2002, john-paul delaney wrote: > > > Thanks Mike... I've turned on 53/tcp (as well as 53/udp) as you > > suggest and will force a reload to test. I still have a problem > > with lookups from the internet, as in the following tcpdump extract: > > > > - > justatest.com.domain: 12+ A? linuxdoc.org. (30) 05:53:27.724911 > > justatest.com > ppp-233-153.24-151.libero.it: icmp: justatest.com > > udp port domain unreachable [tos 0xc0] > > > > At times tcpdump gives the port number (usually a 3xxx number). > > However it changes each time the named process is restarted. > > > > Again, if I open up the firewall everything is ok. I added to the > > input chain to allow all icmp packets through but it didn't help any. > > > > Any further guidance is greatly appreciated, > > /j-p. > > > > > > > > > > > For zone transfers, you need to open up port 53/tcp in your > > > firewall. > > > 53/udp is strictly for lookups. > > > > > > > > After upgrading from rh7.0 to 7.3, I've found that Bind doesn't > > > > work for zone updates (I'm using a hidden primary nameserver > > > > which refreshes secondary.com nameservers) nor the dig command > > > > from the internet even though I had allowed incoming traffic to > > > > port 53 (I'm new to ipchains too). All outbound traffic is > > > > accepted. > > > > > > > > Running tcpdump, I kept getting an error "UDP port domain > > > > unreachable". It was only when I completely turned off ipchains > > > > (eek!) that everything cleared up and Bind worked again. > > > > > > > > > > > > -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list NOTICE: This message and any attachments are confidential and intended solely for the addressee. If you have received this message in error, please notify the sender at Nanoteq (Pty) Ltd immediately, telephone number +27 (0) 12 672 7000. Any unauthorised use, alteration or dissemination is prohibited. Nanoteq (Pty) Ltd accepts no liability whatsoever for any loss whether it be direct, indirect or consequential, arising from information made available and actions resulting there from. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
