[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
kevin bailey wrote:
>
> how many users are on this list roughly? - and how many are from plymouth?
Loads - I let Chas ponder the numbers.
"From Plymouth" - I fear rather more are "from" Plymouth, than
are currently at Plymouth. But the group started at Plymouth
Uni, so a fair proportion are at Plymouth, but some have
graduated (well they claimed they graduated, but we never saw
any certificates).
> what i'd like to know is this:
> are we a very few who have 'seen a better way' - or is there a huge linux
> community beavering away at honing the OS and apps waiting for our time?
The community is huge, I'm not sure the South West is a hotbed
of open source development, but as I discover darker corners
more come out of the woodwork. To be honest location isn't that
important any more till you want to see a human being (or your
network link is bust).
> on a more technical note - could anyone give me some advice on the best
> ipchains settings for a server which is running the squid proxy server. what
> is the best way to allow the DNS servers to return their result? my current
> setup is that all ip packets are DENY'd - and i only allow in packets which i
> need - but i seem to be getting a lot of packets trying to get in with
> different destination port numbers.
Okay DNS is one of those things I do.
First understand DNS servers listen on port 53. Old DNS servers
asked questions on port 53 as well as answered them on 53. New
servers ask questions from the anonymous port range (>1023) and
answer them on 53 (Of course).
So questions go out dnserver:>1023 to any:53
If incoming queries they do any:any to dnsserver:53
Thus if running a caching DNS only (I.E. Not hosting Internet
visible DNS records) you can block incoming to all ports less
than 1024, UDP and TCP (Well maybe mail and stuff is still
needed). SQUID I assume also uses the anonymous port range when
passing on requests.
I always recommend BIND9 with chroot (dead easy in BIND9). If
you run this on the proxy, then it can answer questions for
other internal servers, or perhaps the other internal servers
don't need DNS.
BIND can use listen-on to only listen on appropriate interfaces,
unless you run a DNS server there is usually no reason to listen
on the Internet interface so drop in;
listen-on { 127.0.0.1; 192.168.12.12; }; to only listen on port
53 on private (and loopback) interfaces. Just in case you get
the ipchains rules wrong !!!!- similarly BIND 9 rndc control
channel should listen on 127.0.0.1 only in most cases - but I
think thats the default, I always code it just in case.
If you choose to forward queries to your ISPs DNS servers,
faster but less reliable, then you can restrict the ipchain
rules to....
dnsserver:>1023 to ISPDNSserver(s):53
Remember DNS uses TCP and UDP, some people seem to be under the
misapprehension that TCP is not needed. At least one OS had a
TCP only resolver.....
Hope that helps - a certain amount of lost DNS packets, and
worms probing your port 53 is to be expected. BIND versions
prior to 8.2.3 have known security issues - don't run them, and
a few worms are still crawling around.
Get stuck - drop us an e-mail.
Do get the dshield ipchains log submission script from
www.dshield.org and join the war on scanners, worms and other
vermin.....
If still unsure post the "suspect" ipchain log entries and we'll
make a guess at what they are doing.....
HTH
Simon
--
Are you using the Internet to best effect ? www.eighth-layer.com
Tel: +44(0)1395 232769 ICQ: 116952768
Moderated discussion of teleworking at news:uk.business.telework
--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.