Re: postfix through TOR DNS.
Hi All! On Fri, 2013-04-05 at 18:23 +0700, Sthu Deus wrote: I'm trying to make postfix resolving domain addresses through TOR service. And it works for other programs, like, say aptitude that resolves names then uses FTP connection or a browser - that goes to web through privoxy+TOR, but postfix keeps giving me The question is what is the answer. Unlike the other examples which try to resolv an A record the postfix is search for an MX record. And I'm not really sure if this is supported by the TOR. But I do not know TOR at all. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1365190423.9048.19.camel@mochrul.balabit
Re: secured server policies
On Sat, 2008-11-08 at 19:03 +, daniel wrote: Ansgar Wiechers wrote: On 2008-10-31 daniel wrote: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT You need TCP for fully functional DNS as well. Why do I need TCP for fully functional DNS? TCP must be used for zone transfers. See -- http://www.freesoft.org/CIE/Topics/77.htm No, it's not exactly true. You need tcp in the case when the answer is too big to fit in an UDP packet. If this happen, the client should reconnect using tcp. From rfc 1035: 4.2.1. UDP usage Messages sent using UDP user server port 53 (decimal). Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers). Longer messages are truncated and the TC bit is set in the header. smime.p7s Description: S/MIME cryptographic signature
Re: ssh connection survives reboot of stateful iptables router
Hi All! On Tue, 2006-07-04 at 09:56 +0200, martin f krafft wrote: Many people have rules like -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT I've done research and found that -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT is the same, meaning that the INVALID state matches all non-SYN packets at this point. For the same, you must replace the second line with this: -A INPUT -m conntrack --cstate NEW ! --syn -j DROP Or for sure, use both line. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: where is tcp_syncookies
Hi! On Fri, 24 May 2002, sim ton wrote: i wnat to use tcp_syncookies with : echo 1 /proc/sys/net/ipv4/tcp_syncookies ok ... but it's failed i would like to rebuild my kernel 2.4.18 but i didn't find it So where is this *[EMAIL PROTECTED] tcp_syncookies ??? hey, we're writing 2002! debian is as smart as it doesn't need any echo [01] /proc/blah! First, put syncookies support in the kernel (networking options, after ECN), look at this: [EMAIL PROTECTED]:~$ grep syn /etc/network/options syncookies=yes if you have the same, reboot and have fun with syncookie protection! bstrgrds -- Szalay Attila mrwas at cdata.hu Linux System Administrator @ C-Data Bt. Mobil: (20) 9 441 372 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
