This is March, right?
I probably should've tried this on one DNS server, instead of all of
them. I removed state tracking on outbound to port 53 trafficand
nothing could be resolved.
And, couldn't fix without manual intervention, as cfagent (cfengine)
couldn't resolve its policy server
On Mon, Mar 03, 2014 at 09:48:20AM +0800, Drunkard Zhang wrote:
> 2014-03-02 3:04 GMT+08:00 /dev/rob0 :
snip
> > root@tp:~# iptables-save
snip
> > # Generated by iptables-save v1.4.20 on Sat Mar 1 12:42:55 2014
> > *raw
> > :PREROUTING ACCEPT [96:19019]
> > :OUTPUT ACCEPT [118:13918]
> > -A PREROU
2014-03-02 3:04 GMT+08:00 /dev/rob0 :
> On Sat, Mar 01, 2014 at 03:35:25PM +, Phil Mayers wrote:
>> On 01/03/2014 14:30, Chuck Anderson wrote:
>>
>> >How should these rules be changed to adhere to the Best Practices
>> >while not breaking anything and still allowing the servers to do
>> >their
On Sat, Mar 01, 2014 at 03:35:25PM +, Phil Mayers wrote:
> On 01/03/2014 14:30, Chuck Anderson wrote:
>
> >How should these rules be changed to adhere to the Best Practices
> >while not breaking anything and still allowing the servers to do
> >their own DNS lookups? I know theoretically how
On Sat, Mar 01, 2014 at 03:35:25PM +, Phil Mayers wrote:
> The DNS-QUERY chain allows all traffic inbound to port 53 and
> fragments, and denies all other TCP/UDP. It permits all others,
> which is relatively open but you could lock this down to allowing
> ICMP etc. if you wanted.
>
> The DNS-
On 01/03/2014 14:30, Chuck Anderson wrote:
How should these rules be changed to adhere to the Best Practices
while not breaking anything and still allowing the servers to do their
own DNS lookups? I know theoretically how I would do this, but I'm
looking for others' experiences.
There are pro
In the following two Best Practices documents, it is recommended to
disable stateful firewalls for DNS traffic (outbound on recursive
servers, and inbound on authoritative servers). Can people share
their Linux iptables configurations for how they have accomplished
this?
https://deepthought.isc.o
7 matches
Mail list logo
