[Firehol-support] dns?
Goetz Bock
bock at blacknet.de
Wed May 4 07:51:15 BST 2005
On Wed, May 04 '05 at 12:29, Rick Marshall wrote:
> interface eth1 inet src "${access_ip}"
> protection strong 100/sec 200
> policy reject
> server "${services}" accept
> client all accept
>
try this:
interface eth1 inet
protection strong 100/sec 200
policy reject
server "${services}" accept src "${access_ip}"
client all accept
or better:
interface eth1 inet
protection strong 100/sec 200
policy reject
server "${services}" accept src "${access_ip}"
client all accept dest "${access_ip}"
client dns accept dest "${dnsserver}"
> now it's logging these udp packets like crazy:
>
> May 4 10:23:40 china kernel: OUT-unknown:IN= OUT=eth1
> SRC=211.148.145.81 DST=216.239.53.9 LEN=62 TOS=0x00 PREC=0x00 TTL=64
> ID=26267 DF PROTO=UDP SPT=33008 DPT=53 LEN=42
> May 4 10:23:42 china kernel: OUT-unknown:IN= OUT=eth1
> SRC=211.148.145.81 DST=66.102.11.9 LEN=62 TOS=0x00 PREC=0x00 TTL=64
> ID=26268 DF PROTO=UDP SPT=33008 DPT=53 LEN=42
> May 4 10:23:44 china kernel: OUT-unknown:IN= OUT=eth1
> SRC=211.148.145.81 DST=203.134.64.66 LEN=62 TOS=0x00 PREC=0x00 TTL=64
> ID=26269 DF PROTO=UDP SPT=33008 DPT=53 LEN=42
>
> what's really strange is no IN, out is the interface, and SRC is the
> address on the interface.
>
> does this mean anything
your dns requests are blocked
> and should i add something to my configuration.
see above.
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2004 Creative Commons, Attribution-ShareAlike 2.0 de
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]
More information about the Firehol-support
mailing list