Maintained by: NLnet Labs

[Unbound-users] Unbound and firewall

Ricardo Fraile
Thu Nov 29 17:43:24 CET 2012


Finally i forgot this line in my firewall rules:

      iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT


Thanks for all, 






________________________________
 De: Ondřej Surý <ondrej at sury.org>
Para: Ricardo Fraile <rfrail3 at yahoo.es> 
CC: "unbound-users at unbound.net" <unbound-users at unbound.net> 
Enviado: Jueves 29 de noviembre de 2012 17:35
Asunto: Re: [Unbound-users] Unbound and firewall
 

You really don't want to do that. Lookup up and read about Kaminsky DNS bug.

Ondřej Surý

On 29. 11. 2012, at 16:59, Ricardo Fraile <rfrail3 at yahoo.es> wrote:


I think that the unbound open an arbitrary udp port, how can I fix for use always the same port?
>
>
>
>
>
>
>Active Internet connections (servers and established)
>Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
>udp        0      0 0.0.0.0:53              0.0.0.0:*                           1152/unbound    
>udp        0      0 0.0.0.0:17790           0.0.0.0:*                           1152/unbound 
>
>
>
>
>
>
>
>
>
>
>thanks,
>
>
>
>________________________________
> De: Ricardo Fraile <rfrail3 at yahoo.es>
>Para: "unbound-users at unbound.net" <unbound-users at unbound.net> 
>Enviado: Jueves 29 de noviembre de 2012 16:43
>Asunto: Unbound and firewall
> 
>
>Hello, 
>
>
>
>   I try to put iptables in the same server that unbound but I can't do a local resolv:
>
>
>dig terra.es @127.0.0.1
>
>
>; <<>> DiG 9.7.3 <<>> terra.es @127.0.0.1
>;; global options: +cmd
>;; connection timed out; no servers could be reached
>
>
>
>
>
>
>whit this iptables rules:
>
>
>:INPUT ACCEPT [0:0]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [2271:2106405]
>-A INPUT -s 30.0.0.0/8 -p tcp -j ACCEPT 
>-A INPUT -s 30.0.0.0/8 -p udp -j ACCEPT 
>-A INPUT -s 30.0.0.0/8 -p icmp -j ACCEPT 
>-A INPUT -s 127.0.0.1/32 -p udp -j ACCEPT 
>-A INPUT -s 127.0.0.1/32 -p tcp -j ACCEPT 
>-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
>-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
>
>-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
>-A INPUT -j DROP 
>COMMIT
>
>
>
>
>
>
>If I clean the firewall, all works, but why? Which ports use unbound for the queries?
>
>
>
>
>Thanks,
>
>
>
>
>
>
>
>
>
>
_______________________________________________
>Unbound-users mailing list
>Unbound-users at unbound.net
>http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20121129/e9d901e8/attachment-0001.html>