Am trying to debug my RULES file. At this point I can DIG from an SSH connection to the internal address of the FW. I can''t DIG from any where else on the internal LAN. Can someone tell me what port(s) and protocol(s) DIG uses? Somehow Ive got it enabled from FW to the NET but not from LOC to NET. If I can understand what the diff is here Im hoping I can unroll the other connection problems I have created. TY.
> Am trying to debug my RULES file. At this point I can DIG from an SSH > connection to the internal address of the FW. I can''t DIG from any where > else on the internal LAN. > > Can someone tell me what port(s) and protocol(s) DIG uses? Somehow Ive > got it enabled from FW to the NET but not from LOC to NET. > > If I can understand what the diff is here Im hoping I can unroll the > other connection problems I have created.dig as an DNS client uses port 53 (domain). At least udp is required -- not too sure about tcp. karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
On 09 May 2003 22:12:16 +0200, kb <kb@bluehash.de> wrote:> > dig as an DNS client uses port 53 (domain). At least udp is required -- > not too sure about tcp. >For most DNS queries, UDP is all that is required. If the response is too large to fit in a single UDP packet, then fall back to TCP occurs. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > dig as an DNS client uses port 53 (domain). At least udp is required -- > > not too sure about tcp. > > For most DNS queries, UDP is all that is required. If the response is too > large to fit in a single UDP packet, then fall back to TCP occurs.Tom, that''s exactly what you state at http://shorewall.net/ports.htm -- but you also say "If you are configuring a DNS client, you will probably want to open TCP Port 53 as well." So I wonder, if tcp is needed always, as dig is a DNS client. TIA for sharing your great knowledge with me... karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!