Date: Wed, 20 Mar 2002 16:03:50 +0000 From: Daniel Bye <dan@slightlystrange.org> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <20020320160349.GB27566@icarus.slightlystrange.org> In-Reply-To: <Pine.GSO.4.33.0203201646400.12073-100000@bark> References: <3C992774.D763B085@froekjaer.org> <Pine.GSO.4.33.0203201646400.12073-100000@bark>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 20, 2002 at 04:49:51PM +0100, Paul Everlund wrote: > On Wed, 20 Mar 2002, Flemming Fr?kjk?r wrote: > > > I'm trying to build a firewall based on the simple firewall in the > > rc.firewall script > > after enabling the firewall I can't look up any addresses. If I use > > nslookup it just times out :( > > I can add a rule like this: ipfw add 9999 pass all from any to any > > Then everything works, but the firewall does not do me any good :( > > what rules should I add to make DNS work? > > You must let DNS queries UDP out to port 53, and also let them back in > from port 53. Also DNS TCP out to port 53 should be allowed (I think). > Something like this: > What follows comes from my rather addled memory, so forgive me if it's not quite right ;-) You should only need to allow TCP/53 if you need to obtain zone transfers, if you are running your own name server, for example. Basic DNS host lookups take place over the UDP sockets, so just the first two of the rules provided by Paul should be necessary. (There is probably no harm in allowing TCP/53 out, in any event, so long as you don't allow it IN unbidden.) > ipfw add allow udp from any to DNS-IP 53 out via INTERFACE > ipfw add allow udp from DNS-IP 53 to any in via INTERFACE > ipfw add allow tcp from any to DNS-IP 53 out via INTERFACE > > Good luck! > > Best regards, > Paul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020320160349.GB27566>