[Shorewall-users] bouncing inbound dns udp packets

Tom Eastep teastep at shorewall.net
Fri, 11 Oct 2002 06:30:26 -0700

Roy Barkas wrote:
> All of a sudden, with no change to my Shorewall config, I?ve started to 
> see a lot of udp packets from dns servers that I use being rejected.
> In the log extract below ? all of the 61.9 addresses are a family of dns 
> servers and (obviously, I guess) 144.137.xx.xxx is my public interface.
> Is it possible that the state connections time out due to poor dns 
> performance?

That's what I've always assumed was happening. In my /etc/shorewall/common 
file, I have:

run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net