you also might want to consider...
www.simonzone.com
he has a neat GPL firewall called Guarddog that is very easy to configure (GUI based). Just point and click to configure and you can output the rules it creates.
I've learnt a lot from studying its output.
Ben
Voytek wrote:
I'm trying to setup/config BIBD on RH73 ( 'rh73 dns server' )
in below mssg, I'm talking about 3 dns hosts: 'rh73 dns server' - the one I'm trying to setup; 'test dns server' - what I'm using to test; 'old dns server' - my current dns server
BIND is running on 'rh73 dns server', but, I can not get any zones transferred to my 'test dns server'
when I try to get zones from the 'rh73 dns server', my 'test dns server' says: 'connection refused' (but, does transfer from 'old dns' OK)
I suspect I might be blocking BIND with my IPCHAINS firewall rules.
do I need an explict rule in ipchains for bind, or does bind has some 'automatic' right..?
am I looking in the right place..?
I have:
/etc/sysconfig/ipchains (this is the file to look at, yes ?)
# Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. :input ACCEPT :forward ACCEPT :output ACCEPT -A input -s 0/0 -d 0/0 ntp -p udp -j ACCEPT -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT #-A input -s 0/0 -d 0/0 23 -p tcp -y -j ACCEPT -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
----
# service ipchains status returns this:
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT udp ------ 203.28.234.5 0.0.0.0/0 53 -> 1025:
65535
ACCEPT udp ------ 203.28.234.4 0.0.0.0/0 53 -> 1025:
65535
ACCEPT udp ------ 127.0.0.1 0.0.0.0/0 53 -> 1025:
65535
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 123
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 443
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 110
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 25
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 80
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 21
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 22
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 67:68
-> 67
:68
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 67:68
-> 67
:68
ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
:
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 2049
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 0:1023
REJECT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 2049
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 6000:6
009
REJECT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 7100
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
----
what creates the 'port 53' entries at the top ? (resolver ?) do I need anything in ipchains to allow port 53 connection ?
looking at syslog on 'rh73 dns server', it's timing out trying to reach the master dns server:
net.au/IN: refresh: failure trying master 203.42.34.53#53: timed out l.com.au/IN: refresh: failure trying master 203.42.34.53#53: timed out nfo/IN: refresh: failure trying master 203.42.34.53#53: timed out nfo/IN: refresh: retry limit for master 203.42.34.53#53 exceeded ch.com.au/IN: refresh: failure trying master 203.42.34.53#53: timed out ch.com.au/IN: refresh: retry limit for master 203.42.34.53#53 exceeded
so, do I need to add something like:
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
in /etc/sysconfig/ipchains ??
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
