Regards
Marcel Malin
Usually it's either a problem with the master server or the network. When
the slave tried to query the master server to get the SOA record, it didn't
get a response. It could be because the master is down, it could be due to
a firewall blocking DNS packets from the slave to the master, or blocking
the responses going back to the slave. It could be because a network
connection along the way is down. Anything you can imagine that would
prevent a DNS query/response from succeeding could be the cause.
--
Barry Margolin, bar...@genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
/sbin/ipchains -A input -i eth0 -s ! 192.168.0.254 1024:65535 -d
194.208.60.10 53 -p ! icmp -j ACCEPT
/sbin/ipchains -A output -i eth0 -s 194.208.60.10 53 -d ! 192.168.0.254
1024:65535 -p ! icmp -j ACCEPT
eth0 ist the external nic (IP 194.208.60.10) the internal ip is
192.168.0.254. It should allow tcp and udp packets....
Cheers
Marcel Malin
"Barry Margolin" <bar...@genuity.net> schrieb im Newsbeitrag
news:9vdmam$k...@pub3.rc.vix.com...
OK, let's analyze these two.
(1) Add a rule to the "input" chain, matching packets traversing on
eth0 with a source address not equal to 192.168.0.254, but with a
source port in the range 1024 thru 65535, and a destination address of
194.208.60.10 on port 53, on protocols other than ICMP, and accept
packets matching the rule.
(2) Add a rule to the "output" chain, matching packets traversing on
eth0 with a source address of 194.208.60.10 on port 53, and a
destination address not equal to 192.168.0.254, but with a destination
port of 1024 thru 65535, on protocols other than ICMP, and let those
packets through.
What are you trying to accomplish with these two? They seem like a
mess to me - why not just do it the simple way and allow TCP and UDP
traffic to/from port 53 on the remote name server?
Also remember that IP spoofing with UDP is extremely trivial.
Michael Kjörling
On Dec 18 2001 12:21 +0100, Marcel Malin wrote:
> There is a IPchains script running on the DNS Server. Is there something
> wrong with the script
>
> /sbin/ipchains -A input -i eth0 -s ! 192.168.0.254 1024:65535 -d
> 194.208.60.10 53 -p ! icmp -j ACCEPT
> /sbin/ipchains -A output -i eth0 -s 194.208.60.10 53 -d ! 192.168.0.254
> 1024:65535 -p ! icmp -j ACCEPT
>
> eth0 ist the external nic (IP 194.208.60.10) the internal ip is
> 192.168.0.254. It should allow tcp and udp packets....
>
>
> Cheers
>
> Marcel Malin
- --
Michael Kjörling -- Programmer/Network administrator ^..^
Internet: mic...@kjorling.com -- FidoNet: 2:204/254.4 \/
PGP: 95f1 074d 336d f8f0 f297 6a5b 2aa3 7bfd 8a70 e33e
"There is something to be said about not trying to be glamorous
and popular and cool. Just be real -- and life will be real."
(Joyce Sequichie Hifler, September 13 2001, www.hifler.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Public key is at http://michael.kjorling.com/contact/pgp.html
iD8DBQE8H2UnKqN7/Ypw4z4RAhnRAKDDMsxo5SANbd8bHndmUk7EfJnhvQCff+ls
w9jp8hfHwYGgMbtw8Psv6eE=
=LWzZ
-----END PGP SIGNATURE-----