On Wed, 2003-08-06 at 22:02, Malcolm Ferguson wrote: > I have /etc/resolv.conf containing a nameserver entry. I also have some > name servers listed in the forwarders section of /etc/bind/named.conf. > Is there a way to configure both bind and the normal name resolver (how > does it work???) to always use the same port? Or, do I have to add a > rule to the INPUT chain that ACCEPTS anything UDP from the name server? > Obviously the name server isn't on the local LAN.
>From /etc/bind/named.conf (Debian box): // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked // questions using port 53, but BIND 8.1 and later use an unprivileged // port by default. query-source address * port 53; This will force BIND to use 53 as the source port, as well as the destination. You can then use something like the following in your iptables script. iptables -A INPUT -s <ip of first forwarder> --sport 53 --dport 53 -p udp -i <interface> -j ACCEPT iptables -A INPUT -s <ip of second forwarder> --sport 53 --dport 53 -p udp -i <interface> -j ACCEPT and maybe a matching set with "-p tcp". That should allow responses back through the firewall, though you should be able to do the same with "ESTABLISHED,RELATED". HTH, j. -- Jeremy L. Gaddis <[EMAIL PROTECTED]> <http://www.gaddis.org> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
