kaze on Wed, 6 Aug 2003 21:56:08 -0400 |
<snip> --> > Yeah, it's been open, even all the way to the outside - but --> does it block --> > outgoing somehow? Or is some reply blocked, I know on the --> Cisco ACL you have --> > to allow from anyone to port 53, and from anyone's port 53 to --> ports over 53 --> > on tcp and udp. I'm probably reaching and just screwed --> something basic up... --> --> I do not understand your question. You say it is open but then --> you seem to think --> it is blocked. zone transfers are by default done via port 53 --> tcp. Most other --> dns things are 53 udp. You seem to know this but at teh same --> time you do not --> seem sure, so I mentioned it again for clarity. From your trace --> in the previous --> message it looks to me like you have something blocked. It is --> hard to tell for --> sure without sniffing the packets with tcpdump or something. --> You do not have --> iptables turned on, on the nameservers so you?? --> --> -- --> ......Tom I think it was a little early in the morning for me to post. On the Cisco IOS ACL 'firewall' I have in part: access-list 100 permit udp any eq domain host 146.145.39.211 gt 1023 access-list 100 permit udp any host 146.145.39.211 eq domain access-list 100 permit tcp any host 146.145.39.211 eq domain Where 146.145.39.211 is the external address of ns1 then NAT'ed to 10.10.10.211. So: any IP with tcp port 53 allowed to ns1's IP with a port > 1023 any IP with and UDP allowed to ns1's IP with port 53 any IP with and TCP allowed to ns1's IP with port 53 I'm not 100% sure about it but I think unlike a web browser sending a request out to the server and the server sending the data back on the same 'established' connection, with DNS the 'question' and 'answer' are separate sockets and separate connections so you have to set up another rule to allow for this. _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|