On Tue, 13 Mar 2001, Peter Brezny wrote:
> I've got a problem with secondary DNS servers not being able to get
> updates from my primary through it's firewall.
>
> The firewall rules on the primary dns server (pertaining to dns) look
> like this. I thought I had my bases covered...
>
>
> # Allow DNS traffic from internet to query your DNS (for reverse
> # lookups etc).
> $fwcmd add allow tcp from any 53 to $ns1 53 setup
> $fwcmd add allow udp from any to $ns1 53
> $fwcmd add allow udp from $ns1 53 to any
You are only allowing the setup of the zone transfer. You need to
allow established traffic as well (tcp port 53).
$fwdcmd add allow tcp from any 53 to any 53
This isn't very secure though. You can more specific ipfw rules
that make this a little more secure.
>
> I've also got:
>
> query-source address 209.16.228.145 port 53;
>
> In my named.conf on the primary dns server...
>
> However when secondaries create zone files, they are blank. I get the
> feeling it's a firewall problem because, when i configure the
> secondaries to use an internal address of the primary dns server
> (which has a keep-state allow all internal rule) in my test
> environment, the updates occur as expected.
yes, it is a firewall issue.
Nick Rogness <[EMAIL PROTECTED]>
- Keep on routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
