On 8/21/2014 5:20 AM, Ruud Baart wrote: > I had a problem with our DNS servers. I turned out that the DNS servers > were very, very busy with rejecting answers. See discussion "Blocking > DNS cache queries". I assume DNSAmp is the formal incorporation of the > solution. >
Please give the attached version a try -- any packet that it matches will also be matched by your 'imperfect' version. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
# # Shorewall 4 - DNS Amplification Action # # /usr/share/shorewall/action.DNSAmp # # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # (c) 2011,2012 - Tom Eastep ([email protected]) # # Complete documentation is available at http://shorewall.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # # DNSAmp[([<action>])] # # Default action is DROP # ########################################################################################## ?format 2 DEFAULTS DROP IPTABLES(@1) - - udp 53 ; -m u32 --u32 "0>>22&0x3C\@8&0xffff=0x0100 && 0>>22&0x3C\@12&0xffff0000=0x00010000"
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
