Date: Sun, 19 Nov 2000 14:48:17 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Sam Carleton <scarleton@bigfoot.com> Cc: "security@FreeBSD.ORG" <security@FreeBSD.ORG> Subject: Re: help setting up a filewall Message-ID: <20001119144817.A12190@149.211.6.64.reflexcom.com> In-Reply-To: <3A1833F4.A2A25FBC@bigfoot.com>; from scarleton@bigfoot.com on Sun, Nov 19, 2000 at 03:11:32PM -0500 References: <3A16C44B.4DEC2492@bigfoot.com> <20001118155447.K9740@149.211.6.64.reflexcom.com> <3A1833F4.A2A25FBC@bigfoot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 19, 2000 at 03:11:32PM -0500, Sam Carleton wrote:
> "Crist J . Clark" wrote:
[snip]
> > > Attached you will find my modifications to the rc.firewall script and
> > > relavent snips of rc.conf. If you have any thoughts on what I am doing
> > > wrong, please drop me an email. Thanks!
> >
> > A few nitpicks about your ruleset, but nothing absolutely leaped out
> > at me as a problem that would totally break everything. Since you did
> > not tell us exactly what kind of problem you are having, it's hard to
> > know what to look for.
>
> Well, the problem I am currently having is with DNS. The test enviornment that I have setup is such that
> there is no DNS server behind the FreeBSD firewall. The machine inside the firewall is not able to get a
> DNS request out. To make things more interesting, while booting the FreeBSD firewall, the rc.firewall
> script ALWAYS hangs on the two DNS lines.
>
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from ${iif} to any 53 keep-state
> ${fwcmd} add pass tcp from ${iif} to any 53 keep-state
You are using interface names where you should be using a hostname or
IP address. It is probably hanging trying to do the DNS lookup on the
hostname 'xl1.' You want,
${fwcmd} add pass udp from ${inet}:${imask} to any 53 keep-state
${fwcmd} add pass tcp from ${inet}:${imask} to any 53 keep-state
But this is not going to work unless you add a check-state rule. How
about checking right where we do the stateless pass of "established"
connections.
[snip]
> [Ss][Ii][Mm][Pp][Ll][Ee])
[snip]
# Allow established, dynamic connections
${fwcmd} add check-state
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
>
> # Allow IP fragments to pass through
> ${fwcmd} add pass all from any to any frag
[snip]
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001119144817.A12190>