Strict Linux/ipchains firewall and BIND

Torsten Behle tbehle at fcb-wilkens.com
Fri Oct 29 09:50:35 UTC 1999


Just some thoughts (I'm not an expert)..

>> forward first

Why don't you use "forward only" ?
You could save ipchains rules to the root nameservers.

>> ipchains -A input  -i $EXTRN_IFACE -p tcp ! -y \
>>             -s $NS 53 -d $IPADDR 53 -j ACCEPT

If you have zone transfers from the forwarders
(your DNS being slave or hidden primary),
they will fail because of the "! -y".

(I didn't know that rootservers get queried via udp onyl
and from 1024: to 53 despite of the option
query-source address * port 53;

You probably have checked that out.)

Torsten Behle
FCB/Wilkens Germany



More information about the bind-users mailing list