Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Jul 2004 20:23:42 +0400
From:      Roman Kurakin <rik@cronyx.ru>
To:        Mikhail Teterin <mi+mx@aldan.algebra.com>, barney@databus.com
Cc:        net@freebsd.org
Subject:   Re: allowing LAN the direct access to outside DNS with ipfw
Message-ID:  <40F40C8E.8000904@cronyx.ru>
In-Reply-To: <20040713160721.GA64946@pit.databus.com>
References:  <200407131155.36985@misha-mx.virtual-estates.net> <20040713160721.GA64946@pit.databus.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Barney Wolff wrote:

>On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote:
>  
>
>>I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
>>the Internet from behind the firewall (FreeBSD-stable).
>>
>>There is a rule there:
>>	# Allow DNS queries out in the world
>>        ${fwcmd} add pass udp from any to any 53 keep-state
>>    
>>
Probably this should be a bit safer:

${fwcmd} add pass udp from ${inet} to any 53 keep-state out via de0

>>and, indeed, the firewall machine itself has no problems accessing the outside
>>name servers.
>>
>>However, when the LAN-machine(s) try it, the queries time out, while the
>>firewall machine logs the following:
>>
>>	ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0
>>    
>>
All routers/servers from Internet does not work with 192.168 like 
networks since any body can use such
addresses, so this could be you problem.

>>All HOWTOs out there imply running a local nameserver on the firewall
>>machine. Is there a way to go without that, but also without opening the
>>firewall up to _all_ UDP packets, which happen to originate from port
>>53?
>>
>>What's the meaning of the "keep-state" clause in the rule above? I
>>thought, it "magically" allows DNS-responses to come back only, but that
>>does not work...
>>    
>>
>
>Do ipfw show and see if the keep-state rule is ever triggering - perhaps
>some rule before it is already allowing the outgoing packets.
>  
>
As I understand this, keep-state wouldn't allow any connection to you 
from port 53, till you
send any UDP packet to that machine for port 53.

rik

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40F40C8E.8000904>