No one has any idea about this? Thanks, Carlos Pastorino ---------- Forwarded message ---------- Hi everyone, I have the following rules in my firewall: $IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -s $MYMAILSERVER -d $DNS01 --dport domain -j ACCEPT $IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -s $MYMAILSERVER -d $DNS02 --dport domain -j ACCEPT But some response DNS packets are being dropped. Here's an example: TCPDUMP on my mail server: 16:26:27.433734 IP (tos 0x0, ttl 64, id 47192, offset 0, flags [DF], proto 17, length: 55) MYMAILSERVER.49372 > DNS01.domain: [udp sum ok] 9962+ AAAA? ibest.com. (27) 16:26:27.549682 IP (tos 0x0, ttl 250, id 35994, offset 0, flags [DF], proto 17, length: 55) DNS01.domain > MYMAILSERVER.49372: [udp sum ok] 9962 ServFail q: AAAA? ibest.com. 0/0/0 (27) 16:26:27.549801 IP (tos 0x0, ttl 64, id 47308, offset 0, flags [DF], proto 17, length: 55) MYMAILSERVER.49372 > DNS02.domain: [udp sum ok] 34474+ A? ibest.com. (27) /VAR/LOG/MESSAGES on my firewall: Jan 9 16:26:57 SRVA kernel: FORWARD blocked: IN=eth0 OUT=eth1 SRC=DNS02 DST=MYMAILSERVER LEN=55 TOS=0x00 PREC=0x00 TTL=250 ID=13214 DF PROTO=UDP SPT=53 DPT=49372 LEN=35 As you can see, MYMAILSERVER asks DNS01, and DNS01 responds with ServFail. So, MYMAILSERVER in turn asks to DNS02, and the response is blocked by the firewall. Why? Thanks, Carlos Pastorino
