Date: Tue, 13 Mar 2001 15:47:08 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: Peter Brezny <peter@black.purplecat.net> Cc: freebsd-net@FreeBSD.ORG Subject: Re: problem with secondary dns update through ipfw firewall Message-ID: <Pine.BSF.4.21.0103131539180.11657-100000@cody.jharris.com> In-Reply-To: <Pine.BSF.4.05.10103131533440.17531-100000@black.purplecat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Mar 2001, Peter Brezny wrote: > I've got a problem with secondary DNS servers not being able to get > updates from my primary through it's firewall. > > The firewall rules on the primary dns server (pertaining to dns) look > like this. I thought I had my bases covered... > > > # Allow DNS traffic from internet to query your DNS (for reverse > # lookups etc). > $fwcmd add allow tcp from any 53 to $ns1 53 setup > $fwcmd add allow udp from any to $ns1 53 > $fwcmd add allow udp from $ns1 53 to any You are only allowing the setup of the zone transfer. You need to allow established traffic as well (tcp port 53). $fwdcmd add allow tcp from any 53 to any 53 This isn't very secure though. You can more specific ipfw rules that make this a little more secure. > > I've also got: > > query-source address 209.16.228.145 port 53; > > In my named.conf on the primary dns server... > > However when secondaries create zone files, they are blank. I get the > feeling it's a firewall problem because, when i configure the > secondaries to use an internal address of the primary dns server > (which has a keep-state allow all internal rule) in my test > environment, the updates occur as expected. yes, it is a firewall issue. Nick Rogness <nick@rogness.net> - Keep on routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0103131539180.11657-100000>