From owner-freebsd-net@FreeBSD.ORG Tue Jul 13 16:07:31 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11BDB16A4CE; Tue, 13 Jul 2004 16:07:31 +0000 (GMT) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EE5B43D41; Tue, 13 Jul 2004 16:07:30 +0000 (GMT) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.11/8.12.11) with ESMTP id i6DG7LwE066224; Tue, 13 Jul 2004 12:07:21 -0400 (EDT) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.11/8.12.11/Submit) id i6DG7LtO066223; Tue, 13 Jul 2004 12:07:21 -0400 (EDT) (envelope-from barney) Date: Tue, 13 Jul 2004 12:07:21 -0400 From: Barney Wolff To: Mikhail Teterin Message-ID: <20040713160721.GA64946@pit.databus.com> References: <200407131155.36985@misha-mx.virtual-estates.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200407131155.36985@misha-mx.virtual-estates.net> User-Agent: Mutt/1.5.6i X-Scanned-By: MIMEDefang 2.43 cc: questions@freebsd.org cc: net@freebsd.org Subject: Re: allowing LAN the direct access to outside DNS with ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2004 16:07:31 -0000 On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote: > > I'm using the `simple' template in /etc/rc.firewall to allow LAN to access > the Internet from behind the firewall (FreeBSD-stable). > > There is a rule there: > # Allow DNS queries out in the world > ${fwcmd} add pass udp from any to any 53 keep-state > > and, indeed, the firewall machine itself has no problems accessing the outside > name servers. > > However, when the LAN-machine(s) try it, the queries time out, while the > firewall machine logs the following: > > ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0 > > All HOWTOs out there imply running a local nameserver on the firewall > machine. Is there a way to go without that, but also without opening the > firewall up to _all_ UDP packets, which happen to originate from port > 53? > > What's the meaning of the "keep-state" clause in the rule above? I > thought, it "magically" allows DNS-responses to come back only, but that > does not work... Do ipfw show and see if the keep-state rule is ever triggering - perhaps some rule before it is already allowing the outgoing packets. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.