> > 1) run an internal DNS behind the firewall, and direct all queries at > > that system, punch a hole through the firewall to allow that system > > through. I do this on my network, I have a bridged freebsd box > > which has a default ipfw policy of deny, then I told BIND to only > > use UDP port 53 for all actions(makes it firewall-friendly), and > > opened a hole in the firewall to allow requests to go to UDP/53 > > on my nameserver. You shouldn't need to allow incoming requests > > just outgoing, since my server is authortative for about 45 domains > > I need to allow incoming as well. > > 2) Try running all of your DNS requests over TCP, using the > > 'host' command you can do this, I am not aware of any way to get > > the system to default to this. > > 3) point to your proxy using it's IP address not the domain name > > so it doesn't have to resolve anything. Many proxy servers handle > > all DNS resolution as well, so if your using a proxy your system > > doesn't need to know what debian.org or whatever resolves to. > > > > > > #3 is the best interim solution, if you run a network, the best > > long term solution is #1, that way you have both DNS and a DNS > > cache on your internal network. > > > > nate > > I've specified some rules in shorewall to allow me acces to port > 53 with tcp and udp. It still doesn't work. > As for #3, i don't know what the ip is of this proxy so > i won't be able to use this. I think sollution on is going to be what > i need. Seems a bit overkill though for what i want to do. > > Another sollution is to temporarily shutdown the firewall but i > do not want to do this.
After the comments Nate made i rechecked my rules file from shorewall and it dawned to me that i could try to add a rule for the 8080 port so i added: ACCEPT fw net tcp 8080 and it worked! (dumb*ss me for not realizing this sooner) For completeness, the 2 rules i had already added and are also necessary to make it work are: ACCEPT fw net tcp 53 ACCEPT fw net udp 53 Ha, now my little apt friend works again :) Also, thanks again Nate to help me solve this. As you can see, i still need to learn a lot when it comes to firewall configuration and to think that shorewal hides already a lot of the iptable stuff... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
