Shorewall users - Mar 2002 - shorewall blocks my DNS server

Hi,

After I installed the shorewall, my Linux box cannot perform name
resolution. I can ping Yahoo''s IP address but not www.yahoo.com Well,
the
funny thing is I can able to perform name resolution behind the NAT, ping
www.yahoo.com from my laptop.

Attached is a log file from my linux box, can anyone shine me some light?

My external interface IP : 24.100.82.68
DNS: 24.153.23.66 & 24.153.22.195

Thanks!!!!

Raymond Lo wrote:
> Hi,
>
> After I installed the shorewall, my Linux box cannot perform name
> resolution. I can ping Yahoo''s IP address but not www.yahoo.com
Well, the
> funny thing is I can able to perform name resolution behind the NAT, ping
> www.yahoo.com from my laptop.
>
> Attached is a log file from my linux box, can anyone shine me some light?
>
> My external interface IP : 24.100.82.68
> DNS: 24.153.23.66 & 24.153.22.195
I don''t know why those last few entries in your log are different, but
it
seems clear that you are allowing DNS traffic from loc to net, but not from
fw to net.  You''ll need to put in some rules for it.  Here are the ones
i
use:

# DNS client
ACCEPT          fw      net             tcp     domain          # domain
transfer
ACCEPT          fw      loc             tcp     domain
ACCEPT          fw      net             udp     domain          # normal
request
ACCEPT          fw      loc             udp     domain
ACCEPT          fw      loc             udp     -       domain  # reply
ACCEPT          net     fw              udp     -       domain

Note the end-of-line comments require shorewall 1.2.4 or later.

Regards,
Paul
http://paulgear.webhop.net