Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Jan 2004 13:23:53 -0500
From:      Chuck Swiger <cswiger@mac.com>
To:        fbsd_user@a1poweruser.com
Cc:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: 5.2 + ipfw2 + keep-state rules Bug
Message-ID:  <400ACF39.4000609@mac.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGAENKFEAA.fbsd_user@a1poweruser.com>
References:  <MIEPLLIBMLEEABPDBIEGAENKFEAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
fbsd_user wrote:
> Using an fresh install of FBSD 5.2 RC2 I am trying to
> get stateful rules to function.
> For some reason ipfw2 seems to be issuing an ICMP:3.3
> packet to my ISP's dns.
[ ... ]
> # Internal gateway housekeeping
> $cmd 00100 allow all from any to any via lo0  # allow all localhost
> $cmd 00105 allow all from any to any via xl0  # allow all local Lan
> $cmd 00110 check-state log logamount 500
> $cmd 00150 divert natd all from any to any
> $cmd 00170 count log logamount 500 all from any to any
> $cmd 00310 allow log logamount 500 tcp from any to any 53 out via
> rl0 setup keep-state
> $cmd 00311 allow log logamount 500 udp from any to any 53 out via
> rl0 keep-state
> $cmd 00315 allow log logamount 500 tcp from any to any 80 out via
> rl0 setup keep-state
> $cmd 00350 allow log logamount 500 icmp from any to any out via rl0
> keep-state
> $cmd 00500 deny  log logamount 500 all from any to any

Something like the following would be better in terms of DNS and not blocking 
essential types of ICMP traffic:

allow tcp from any to any 53 out via rl0 setup keep-state
allow udp from any to any 53
allow icmp from any to any icmptypes 0,3,4,8,11,12

This allows bidirectional UDP-based DNS queries, but only outbound long 
(TCP-based) DNS queries like zone-transfers.  YMMV, and it may not solve your 
problem-- it looked like your queries were coming from an internal host 
(10.0.10.5) using NAT?  Are you sure that natd is okay?  Maybe put the divert 
statement before the "check-state" rule?

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?400ACF39.4000609>