Strict Linux/ipchains firewall and BIND
Torsten Behle
tbehle at fcb-wilkens.com
Fri Oct 29 09:50:35 UTC 1999
Just some thoughts (I'm not an expert)..
>> forward first
Why don't you use "forward only" ?
You could save ipchains rules to the root nameservers.
>> ipchains -A input -i $EXTRN_IFACE -p tcp ! -y \
>> -s $NS 53 -d $IPADDR 53 -j ACCEPT
If you have zone transfers from the forwarders
(your DNS being slave or hidden primary),
they will fail because of the "! -y".
(I didn't know that rootservers get queried via udp onyl
and from 1024: to 53 despite of the option
query-source address * port 53;
You probably have checked that out.)
Torsten Behle
FCB/Wilkens Germany
More information about the bind-users
mailing list