DNS ipchains named operation not permitted

James Raftery james-bind-users at now.ie
Wed Oct 24 16:25:02 UTC 2001

On Wed, Oct 24, 2001 at 06:32:21AM -0700, keith wrote:
> I have a firewall which I am workin on a RedHat 6.2 box.
>  ipchains -A output -i $EXT_NET -p udp -s $IPADDR $UNPRIV_PORTS -d
> ipchains -A input -i $EXT_NET -p udp -s $EXT_NET 53 -s $IPADDR
> ipchains -A output -i $EXT_NET -p tcp -s $IPADDR $UNPRIV_PORTS -d
> ipchains -A input -i $EXT_NET -p tcp -s $EXT_NET 53 -s $IPADDR

What is ``$EXT_NET''? You have it as an interface name and a
destination address/net. Argh! Don't mangle information -- it's just

You output chain should allow:
 source_addr: your_IP_address, source_port: >= 1024
 dest_addr: any, dest_port: 53
for both UDP and TCP.

You input chain should allow:
 source_addr: any, source_port: 53
 dest_addr: your_IP_address, dest_port: >= 1024
for both UDP and TCP.

> Do you guys know what I can do to debug this.

Add, as the very last entries for your input and output chains:

-A input --log
-A output --log

which will log any packets not handled by any other chains -- i.e. the
dropped packets. Then you can see exactly what ipfw dropped and debug
your rules accordingly.

James Raftery (JBR54)
  "It's somewhere in the Red Hat district"  --  A network engineer's
   freudian slip when talking about Amsterdam's nightlife at RIPE 38.

This message has been checked for all known viruses by the 
MessageLabs Virus Scanning Service. For further information visit

More information about the bind-users mailing list