Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi guys (and girls if any)
I am trying to build a system to be used as firewall/webserver. There is no DMZ needed, nor local network , as this is going to be the only server (and PC) connected to the internet.
I am searching what ports need to be open, so i can have a reply from the dns when pinging.
Example
when I ping on my local network to 192.168.0.72
it returns very well
when I ping to warlord.zeno.kot (which is 192.168.0.72) I get
unknown host warlord.zeno.kot
which ports need to be open
I have opened 53 and 1038, but that don't seem to be the right ones. Hope someone can help me.
thx
Steve aka Countcobolt
Do you block all exept 53 and 1038, in and out? If so, probably the answer dosn't come back (you send it using a port obove 1024, but you don't know which one will be used). I think it's a good idea to block all below 1024 (without the ones you need), but not those above. In a server configuration nothing listens using it, so it's not a big problem.
so I need to drop all ports from 0 -> 1024 and open everything else above?
And I start off with blocking tcp totally , so I will only need to do this for UDP or also for TCP?
been reading something about ICMP.
The end system should be a system whom replies to as less as possible
thx in advance
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The problem is DNS resolution. Do not thing about it as a ping problem, because DNS is separate from ping. In fact, DNS is an application protocol that runs on top of the UDP and TCP network protocols, ping is only a tool that uses a small subset of the ICMP network layer protocol.
For DNS to work (i.e. outbound queries) you don't need any (inbound) ports open at all, but you must be able to open high (> 1023) ports to make requests (and if you're running named on that machine, you also need to allow port 53 to make outbound connections, since named usually is configured to send requests from this port). Your firewall must also be "stateful" (conntrack for iptables) so that it will remember the outbound requests and allow the corresponding reply.
Now further, it's entirely possible this is not even a DNS problem caused by firewall interferrence. In /etc/resolv.conf, what nameservers do you have listed? If you're using your ISPs nameservers only, they are not going to find "warlord.zeno.kot" because .KOT is not a valid gTLD (and even if it was, there is no authoritative nameserver for that zone).
You need your /etc/resolv.conf to point to a nameserver that has a zone configured for zeno.kot. As an alternative, you could place the line
192.168.0.72 warlord.zeno.kot warlord
In your /etc/hosts file and it would resolve fine (as long as /etc/host.conf lists "file" before "bind").
If you want to allow DNS requests to a server that has a firewall (note: I said TO, not FROM) then you need to open 53/UDP and 53/TCP (yes, BOTH--even if you're not allowing axfr/ixfr) for incoming connections.
I have internal DNS running on another machine in the internal .kot network.
Thx for the advice, first going to do some more thesis work and then I'll be checking this solution
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.