On Tue, 2003-08-05 at 06:01, Franck BAREL wrote:> Hello,
> I have my primary dns on my firewall.
> The secondary dns who come in via net can read the config.
Can or cannot?
> In syslog, i have
> Aug 5 14:59:16 net1 kernel: Shorewall:net2all:REJECT:IN=ppp0 OUT= MAC>
SRC=81.56.80.49 DST=81.56.192.113 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=55985
> DF PROTO=TCP SPT=3568 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
That message indicates that 81.56.80.49 is trying to connect on TCP port
445; that isn''t DNS but rather is Microsoft''s Directory
Service used on
Win2k and WinXP. If you actually have software running on your firewall
that listens on that port, you can enable it via:
net fw tcp 445
> What''s rule must i add to works ?
If you are running a DNS server on your firewall, you want these rules
for the net zone:
net fw udp 53
net fw tcp 53
fw net udp 53
fw net tcp 53
Be sure that your DNS server is configured to only allow zone transfers
to your secondary server.
As a final comment, all of the information that I have given you in this
post is readily available in the Shorewall documentation.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net