Date: Tue, 13 Jul 2004 12:07:21 -0400 From: Barney Wolff <barney@databus.com> To: Mikhail Teterin <mi+mx@aldan.algebra.com> Cc: net@freebsd.org Subject: Re: allowing LAN the direct access to outside DNS with ipfw Message-ID: <20040713160721.GA64946@pit.databus.com> In-Reply-To: <200407131155.36985@misha-mx.virtual-estates.net> References: <200407131155.36985@misha-mx.virtual-estates.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote:
>
> I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
> the Internet from behind the firewall (FreeBSD-stable).
>
> There is a rule there:
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from any to any 53 keep-state
>
> and, indeed, the firewall machine itself has no problems accessing the outside
> name servers.
>
> However, when the LAN-machine(s) try it, the queries time out, while the
> firewall machine logs the following:
>
> ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0
>
> All HOWTOs out there imply running a local nameserver on the firewall
> machine. Is there a way to go without that, but also without opening the
> firewall up to _all_ UDP packets, which happen to originate from port
> 53?
>
> What's the meaning of the "keep-state" clause in the rule above? I
> thought, it "magically" allows DNS-responses to come back only, but that
> does not work...
Do ipfw show and see if the keep-state rule is ever triggering - perhaps
some rule before it is already allowing the outgoing packets.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040713160721.GA64946>