[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IPF rules
I never had to guess till now. I just entered the info in the /etc files,
make an ipf rulebase and everything worked fine.
Spectrum upgrading hardware does not help. Too many changes...
On Sat, Jul 3, 2021 at 9:31 AM Brett Lymn <blymn%internode.on.net@localhost> wrote:
> On Fri, Jul 02, 2021 at 11:12:31PM -0400, Jason Mitchell wrote:
> > I think you would only need to allow inbound connections to tcp port 53 if
> > you were running a nameserver on your machine. You would want to make sure
> > that you allow outbound connections on tcp port 53 from your nameserver in
> > any case. Are you using your own nameserver or are you using another machine
> > for name resolution?
> No you think incorrectly. It doesn't matter if you are running a name server or not, if you
> block tcp/53 going out then you break DNS, it appears to work but fails on some domains. I
> did say this:
> > > > > 2) are you sure your rules are correct? A particularly favourite
> > > > > hobby-horse of mine is people blocking DNS over tcp/53 due to the
> > > > > totally WRONG belief that only dns zone transfers use tcp/53. This is
> > > > > WRONG (did I say wrong?) - if a DNS response won't fit into a UDP packet
> > > > > then the DNS server will reply to the client telling it to try over tcp.
> > > > > If your firewall doesn't allow that to happen there may be delays in
> > > > > name resolution which could cause the appearance that gmail is slow.
> I suggest that a bit of research into DNS would save you guessing.
> > If the nameserver isn't on your computer than: "nc -w 4 -v <nameserver ip>
> > 53" will let you know if you can connect to that server on port 53. (-v =
> > verbose, -w 4 = 4 second timeout so you don't wait forever). If there's a
> > network problem the connection will timeout or you'll get an error. Here are
> > examples:
> Yes, this would be good to try.
> > And I use mail.google.com somewhat often and it goes to the same place as
> > gmail.com.
> It didn't when I last looked, they must have relented on that sometime.
> Brett Lymn
> Sent from my NetBSD device.
> "We are were wolves",
> "You mean werewolves?",
> "No we were wolves, now we are something else entirely",
Main Index |
Thread Index |