Benedict Verheyen said: > Hi, > > i configured shorewall on my server to share the internet connection. My > apt.conf file contains a line to configure the use of the proxy of my > isp: > Acquire::http:Proxy "http://proxy.isp.be:8080";;
most firewalls with a default deny block outbound DNS requests because they by default travel over UDP not TCP so the firewall can't keep the state. Workarounds: 1) run an internal DNS behind the firewall, and direct all queries at that system, punch a hole through the firewall to allow that system through. I do this on my network, I have a bridged freebsd box which has a default ipfw policy of deny, then I told BIND to only use UDP port 53 for all actions(makes it firewall-friendly), and opened a hole in the firewall to allow requests to go to UDP/53 on my nameserver. You shouldn't need to allow incoming requests just outgoing, since my server is authortative for about 45 domains I need to allow incoming as well. 2) Try running all of your DNS requests over TCP, using the 'host' command you can do this, I am not aware of any way to get the system to default to this. 3) point to your proxy using it's IP address not the domain name so it doesn't have to resolve anything. Many proxy servers handle all DNS resolution as well, so if your using a proxy your system doesn't need to know what debian.org or whatever resolves to. #3 is the best interim solution, if you run a network, the best long term solution is #1, that way you have both DNS and a DNS cache on your internal network. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
