<reply below> --On July 26, 2008 9:24:23 AM -0500 Theo Wiegmann <[EMAIL PROTECTED]> wrote:
> Tom Eastep wrote: >>> DNS/ACCEPT $FW net >>> DNS/ACCEPT loc $FW >> >> Those rules are not affected by the recent bind upgrade. > > Thanks, Tom. That let me approach the problem from a different > perspective. I figured out what I was doing wrong: I needed to remove > an entry from the named.conf file: > > query-source port 53; > > Now, all queries are using randomized ports! The linux firewall is not rule, but flow/state based. When you accept an outgoing flow, the return packets are implicitly accepted. Thus an ACCEPT on port 53 outbound, will implicitly match the reply packets coming back to the source port that was randomly selected. The same thing happens with HTTP, SSH, etc (even though those are TCP and DNS is UDP, typically). > > Walter Wiegmann > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge Build the coolest Linux based applications with Moblin SDK & > win great prizes Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
