From owner-freebsd-questions Fri Jul 30 11:31:52 1999 Delivered-To: freebsd-questions@freebsd.org Received: from voyager.fisicc-ufm.edu (ip-46-094.guate.net [200.12.46.94]) by hub.freebsd.org (Postfix) with ESMTP id B57F415154 for ; Fri, 30 Jul 1999 11:29:52 -0700 (PDT) (envelope-from obonilla@voyager.fisicc-ufm.edu) Received: (from obonilla@localhost) by voyager.fisicc-ufm.edu (8.9.3/8.9.3) id MAA08276; Fri, 30 Jul 1999 12:22:57 -0600 (CST) (envelope-from obonilla) Date: Fri, 30 Jul 1999 12:22:57 -0600 From: Oscar Bonilla To: "David B. Aas" Cc: questions@freebsd.org, obonilla@fisicc-ufm.edu Subject: Re: FW: Need consulting help with v3.2 firewall configuration Message-ID: <19990730122256.A1784@fisicc-ufm.edu> References: <000401bed9ff$44528860$0fc8a8c0@dave.ciminot.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <000401bed9ff$44528860$0fc8a8c0@dave.ciminot.com>; from David B. Aas on Thu, Jul 29, 1999 at 03:16:38PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG AFAICS you're not allowing your clients to do DNS queries... see below On Thu, Jul 29, 1999 at 03:16:38PM -0500, David B. Aas wrote: > Whoops! > > I forgot to include my rules. Sorry for the extra email. > > # Setup system for firewall service. > # $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $ > # Customized by Dave Aas 1999/07/20 > > # Suck in the configuration variables. > if [ -f /etc/defaults/rc.conf ]; then > . /etc/defaults/rc.conf > elif [ -f /etc/rc.conf ]; then > . /etc/rc.conf > fi > > # Flush out the list before we begin. > ipfw -f flush > > # Divert internal ip addresses > ipfw add 100 divert natd all from any to any via ${natd_interface} > > # Allow all outbound traffic > ipfw add 150 allow all from any to any out > > # Only in rare cases do you want to change these rules > ipfw add 200 pass all from any to any via lo0 > ipfw add 300 deny all from any to 127.0.0.0/8 > > # Stop spoofing > ipfw add 400 deny all from ${inet}:${imask} to any in via ${oif} > ipfw add 500 deny all from ${onet}:${omask} to any in via ${iif} > > # Allow TCP through if setup succeeded > ipfw add 600 pass tcp from any to any established > > # Allow setup of incoming email > ipfw add 700 pass tcp from any to ${oip} 25 setup > ipfw add 710 allow tcp from any to any 110 setup > > # Allow access to our DNS > ipfw add 800 pass tcp from any to ${oip} 53 setup this says let my machine talk to DNS servers on the internet for zone transfers (TCP) > > # Allow access to our WWW > ipfw add 900 pass tcp from any to ${oip} 80 setup > > # Other webserver traffic > ipfw add 910 allow tcp from any to ${oip} 80 in via ${oif} > ipfw add 920 allow tcp from any to ${oip} 3128 in via ${oif} > > # Allow setup of outgoing TCP connections only > ipfw add 1000 allow tcp from ${oip}:${omask} to any setup > ipfw add 1100 allow tcp from ${iip}:${imask} to any setup > > # Allow maintenance from CI > ipfw add 1200 allow tcp from ${maintip} to ${oip} 21 setup > ipfw add 1300 allow tcp from ${maintip} to ${oip} 23 setup > > # Allow DNS queries out in the world > ipfw add 1400 pass udp from any 53 to ${oip} > ipfw add 1500 pass udp from ${oip} to any 53 this says allow my server to ask DNS queries from the internet. You should add a rule saying "let my clients do DNS queries" I would change those previous two rules for ipfw add 1400 pass udp from any 53 to any ipfw add 1500 pass udp from any to any 53 regards, -Oscar -- For PGP Public Key: finger obonilla@fisicc-ufm.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message