Voytek wrote:
<quote who="[EMAIL PROTECTED]">yes, that's what I mean, this is the address you used when you tried to access
Ah ok, that's probably part of what I missed. I suppose that
203.42.34.54 is the IP address you tried to access, right?
no, 203.42.34.54 is the dns host
the DNS host?
I wonder - did you keep getting "connection refused" when the server
listened on the TCP port and the only problem was the firewall?
I think so...
For security's sake, I'd recommand blocking TCP access to your BIND
from anyone but your designated secondaries. Otherwise you open
this sensitive server for DOS attacks and all sorts of hazards, and they
are not
necessary for anyone else.
so, that I'd need to do in ipchains rules, yes ? specifically allow tcp port 53 for each designated slave dns host ?
is this how it works ?
-A input -s 220.240.54.97 -d 0/0 53 -p tcp -y -j ACCEPT
My experience with ipchains is ancient, I use iptables for years now so I can't verify what I'm saying but:
-A input -s 220.240.54.97 -d 203.42.34.54 53 -p tcp -y -j ACCEPT
Should probably do the trick. If you leave it "-d 0/0" then I think you allow
your secondary to access ANY host on your internal network which doesn't
sound like a Good Thing(tm) to me.
BTW - what kernel are you using? Why don't you move to iptables?
Hope this helps,
--Amos
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
