[lug] logger entry for punching hole for nameserver

[John Hernandez]

I *think* I can explain this.  If it's Redhat 7.1 and you specified a firewall at install time, it enables the rules found in /etc/sysconfig/ipchains.  A comment in that file says:

# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.

I interpret this to mean that it parses your /etc/resolv.conf and adds rules to allow UDP replies from port 53 on those servers.

You can run 'ipchains -L -n' as root to see those rules.

-John

Nate Duehr wrote:
> 
> On Mon, Apr 23, 2001 at 10:35:00PM -0500, charles at lunarmedia.net wrote:
> > logger: punching nameserver 207.229.143.2 through the firewall
> >
> > i just recently built a box that acts as firewall of sorts/nat. it
> > receives its public address via dhcp from my cable modem provider.
> > is this log entry normal? why exactly is a "hole" being punched through
> > the firewall?
> > i have a default outbound policy set to ALLOW and my inbound are strict,
> > but still allow for packets with a source of tcp/udp 53.
> >
> > thanks -charles
> 
> Modern nameservers use high ports for their recursive queries to other
> nameservers, not sure if that's what this is referring to...?
> 
> BIND no longer specifically uses port 53 for queries to the roots and
> other nameservers unless you force it to with the "query-source-address"
> statement in the options.
> 
> It actually hasn't used 53 for queries for a number of versions now...
> 
> Perhaps something in your config recognizes that you have BIND installed
> and adjusts the firewall accordingly?
> 
> --
> Nate Duehr <nate at natetech.com>
> 
> GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
> Public Key available upon request, or at wwwkeys.pgp.net and others.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug