LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-06-2003, 05:30 PM   #1
countcobolt
LQ Newbie
 
Registered: Nov 2002
Location: Belgium
Distribution: Slackware
Posts: 25

Rep: Reputation: 15
DNS reply port for firewall


Hi guys (and girls if any)
I am trying to build a system to be used as firewall/webserver. There is no DMZ needed, nor local network , as this is going to be the only server (and PC) connected to the internet.
I am searching what ports need to be open, so i can have a reply from the dns when pinging.
Example
when I ping on my local network to 192.168.0.72
it returns very well
when I ping to warlord.zeno.kot (which is 192.168.0.72) I get
unknown host warlord.zeno.kot
which ports need to be open
I have opened 53 and 1038, but that don't seem to be the right ones. Hope someone can help me.
thx
Steve aka Countcobolt
 
Old 12-06-2003, 05:37 PM   #2
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
Do you block all exept 53 and 1038, in and out? If so, probably the answer dosn't come back (you send it using a port obove 1024, but you don't know which one will be used). I think it's a good idea to block all below 1024 (without the ones you need), but not those above. In a server configuration nothing listens using it, so it's not a big problem.
 
Old 12-06-2003, 05:45 PM   #3
countcobolt
LQ Newbie
 
Registered: Nov 2002
Location: Belgium
Distribution: Slackware
Posts: 25

Original Poster
Rep: Reputation: 15
so I need to drop all ports from 0 -> 1024 and open everything else above?
And I start off with blocking tcp totally , so I will only need to do this for UDP or also for TCP?
been reading something about ICMP.
The end system should be a system whom replies to as less as possible
thx in advance
 
Old 12-06-2003, 06:13 PM   #4
jcookeman
Member
 
Registered: Jul 2003
Location: London, UK
Distribution: FreeBSD, OpenSuse, Ubuntu, RHEL
Posts: 417

Rep: Reputation: 33
Please describe your configuration. Are you using a cable/dsl router? warlord.zeno.kot is not FQDN.

ICMP does not use TCP or UDP ports. It's a layer 3 protocol.
 
Old 12-06-2003, 06:24 PM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 75
The problem is DNS resolution. Do not thing about it as a ping problem, because DNS is separate from ping. In fact, DNS is an application protocol that runs on top of the UDP and TCP network protocols, ping is only a tool that uses a small subset of the ICMP network layer protocol.

For DNS to work (i.e. outbound queries) you don't need any (inbound) ports open at all, but you must be able to open high (> 1023) ports to make requests (and if you're running named on that machine, you also need to allow port 53 to make outbound connections, since named usually is configured to send requests from this port). Your firewall must also be "stateful" (conntrack for iptables) so that it will remember the outbound requests and allow the corresponding reply.

Now further, it's entirely possible this is not even a DNS problem caused by firewall interferrence. In /etc/resolv.conf, what nameservers do you have listed? If you're using your ISPs nameservers only, they are not going to find "warlord.zeno.kot" because .KOT is not a valid gTLD (and even if it was, there is no authoritative nameserver for that zone).

You need your /etc/resolv.conf to point to a nameserver that has a zone configured for zeno.kot. As an alternative, you could place the line
192.168.0.72 warlord.zeno.kot warlord
In your /etc/hosts file and it would resolve fine (as long as /etc/host.conf lists "file" before "bind").

If you want to allow DNS requests to a server that has a firewall (note: I said TO, not FROM) then you need to open 53/UDP and 53/TCP (yes, BOTH--even if you're not allowing axfr/ixfr) for incoming connections.
 
Old 12-07-2003, 03:50 AM   #6
countcobolt
LQ Newbie
 
Registered: Nov 2002
Location: Belgium
Distribution: Slackware
Posts: 25

Original Poster
Rep: Reputation: 15
I have internal DNS running on another machine in the internal .kot network.
Thx for the advice, first going to do some more thesis work and then I'll be checking this solution
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS not responding plz reply nitin34847 Linux - Networking 3 05-23-2004 02:36 PM
Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers. ramram29 Linux - Security 4 01-26-2004 10:09 PM
telnet to port 25 connects but without reply? Pcghost Linux - Networking 13 01-19-2004 10:03 PM
post reply & submit reply buttons annehoog LQ Suggestions & Feedback 10 01-05-2004 06:43 PM
DNS in DMZ, no reply Ql34rner Linux - Networking 4 12-15-2003 09:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration