[Firehol-support] dns?

Goetz Bock bock at blacknet.de
Wed May 4 08:51:15 CEST 2005


On Wed, May 04 '05 at 12:29, Rick Marshall wrote:
> interface eth1 inet src "${access_ip}"
>        protection strong 100/sec 200
>        policy reject
>        server "${services}" accept
>        client all accept
> 

try this:

interface eth1 inet
       protection strong 100/sec 200
       policy reject
       server "${services}" accept src "${access_ip}"
       client all accept

or better:

interface eth1 inet
       protection strong 100/sec 200
       policy reject
       server "${services}" accept src "${access_ip}"
       client all accept dest "${access_ip}"
       client dns accept dest "${dnsserver}"



> now it's logging these udp packets like crazy:
> 
> May  4 10:23:40 china kernel: OUT-unknown:IN= OUT=eth1 
> SRC=211.148.145.81 DST=216.239.53.9 LEN=62 TOS=0x00 PREC=0x00 TTL=64 
> ID=26267 DF PROTO=UDP SPT=33008 DPT=53 LEN=42
> May  4 10:23:42 china kernel: OUT-unknown:IN= OUT=eth1 
> SRC=211.148.145.81 DST=66.102.11.9 LEN=62 TOS=0x00 PREC=0x00 TTL=64 
> ID=26268 DF PROTO=UDP SPT=33008 DPT=53 LEN=42
> May  4 10:23:44 china kernel: OUT-unknown:IN= OUT=eth1 
> SRC=211.148.145.81 DST=203.134.64.66 LEN=62 TOS=0x00 PREC=0x00 TTL=64 
> ID=26269 DF PROTO=UDP SPT=33008 DPT=53 LEN=42
> 
> what's really strange is no IN, out is the interface, and SRC is the 
> address on the interface.
> 
> does this mean anything 
your dns requests are blocked

> and should i add something to my configuration. 
see above.
-- 
/"\ Goetz Bock at blacknet dot de  --  secure mobile Linux everNETting
\ /       (c) 2004 Creative Commons, Attribution-ShareAlike 2.0 de
 X   [ 1. Use descriptive subjects - 2. Edit a reply for brevity -  ]
/ \  [ 3. Reply to the list - 4. Read the archive *before* you post ]




More information about the Firehol-support mailing list