Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 13 Jul 2004 20:23:42 +0400
From:      Roman Kurakin <rik@cronyx.ru>
To:        Mikhail Teterin <mi+mx@aldan.algebra.com>, barney@databus.com
Cc:        net@freebsd.org
Subject:   Re: allowing LAN the direct access to outside DNS with ipfw
Message-ID:  <40F40C8E.8000904@cronyx.ru>
In-Reply-To: <20040713160721.GA64946@pit.databus.com>
References:  <200407131155.36985@misha-mx.virtual-estates.net> <20040713160721.GA64946@pit.databus.com>
index | next in thread | previous in thread | raw e-mail 

Barney Wolff wrote:

>On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote:
>  
>
>>I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
>>the Internet from behind the firewall (FreeBSD-stable).
>>
>>There is a rule there:
>>	# Allow DNS queries out in the world
>>        ${fwcmd} add pass udp from any to any 53 keep-state
>>    
>>
Probably this should be a bit safer:

${fwcmd} add pass udp from ${inet} to any 53 keep-state out via de0

>>and, indeed, the firewall machine itself has no problems accessing the outside
>>name servers.
>>
>>However, when the LAN-machine(s) try it, the queries time out, while the
>>firewall machine logs the following:
>>
>>	ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0
>>    
>>
All routers/servers from Internet does not work with 192.168 like 
networks since any body can use such
addresses, so this could be you problem.

>>All HOWTOs out there imply running a local nameserver on the firewall
>>machine. Is there a way to go without that, but also without opening the
>>firewall up to _all_ UDP packets, which happen to originate from port
>>53?
>>
>>What's the meaning of the "keep-state" clause in the rule above? I
>>thought, it "magically" allows DNS-responses to come back only, but that
>>does not work...
>>    
>>
>
>Do ipfw show and see if the keep-state rule is ever triggering - perhaps
>some rule before it is already allowing the outgoing packets.
>  
>
As I understand this, keep-state wouldn't allow any connection to you 
from port 53, till you
send any UDP packet to that machine for port 53.

rik
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40F40C8E.8000904>