From owner-freebsd-ipfw@FreeBSD.ORG Wed May 18 16:52:02 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7760516A4CE for ; Wed, 18 May 2005 16:52:02 +0000 (GMT) Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com [204.9.110.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA96E43D99 for ; Wed, 18 May 2005 16:52:01 +0000 (GMT) (envelope-from stephane@enertiasoft.com) Received: from localhost (localhost [127.0.0.1]) by mx1.enertiatech.com (Postfix) with ESMTP id 663826295 for ; Wed, 18 May 2005 10:51:05 -0600 (MDT) Received: from mx1.enertiatech.com ([127.0.0.1]) by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80209-05 for ; Wed, 18 May 2005 10:50:48 -0600 (MDT) Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.enertiatech.com (Postfix) with ESMTP id CD7B562AB for ; Wed, 18 May 2005 10:50:48 -0600 (MDT) Mime-Version: 1.0 (Apple Message framework v730) To: freebsd-ipfw@freebsd.org Message-Id: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> From: Stephane Raimbault Date: Wed, 18 May 2005 10:51:37 -0600 X-Mailer: Apple Mail (2.730) X-Virus-Scanned: amavisd-new at enertiasoft.com Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: named error sending response: permision denied X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2005 16:52:02 -0000 Hi, I've been noticing lots of errors in my /var/log/messages reporting named errors: May 18 06:45:14 enertia1 named[8320]: client 204.9.110.133#1829: error sending response: permission denied May 18 06:45:14 enertia1 named[8320]: client 204.9.110.133#1993: error sending response: permission denied May 18 06:45:19 enertia1 named[8320]: client 204.9.110.132#3123: error sending response: permission denied May 18 06:45:22 enertia1 named[8320]: client 204.9.110.143#61370: error sending response: permission denied May 18 06:46:21 enertia1 named[8320]: client 204.9.110.133#3529: error sending response: permission denied I also noticed these errors in my ipfw.log file: May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:3371 in via vlan1 May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:1420 in via vlan1 May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:2961 in via vlan1 May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP 63.252.160.219:53 204.9.110.134:4701 in via vlan1 For some reason, it seems like ipfw is kaboshing some of the dns queries going thru the server. Queries seem to work as far as I can tell, but randomly I get the above error messags. I believe this is a fairly heavily loaded dns server amongst other services. Here are my ipfw rules for the dns: /etc/rc.firewall.rules fwcmd="/sbin/ipfw -q" ip2=204.9.110.134 ${fwcmd} add pass tcp from any to ${ip2} 53 setup ${fwcmd} add pass udp from any to ${ip2} 53 keep-state I'm suspecting I'm hitting some sort of tunable (hopefully) ipfw limit. Can anyone provide me some insight on this... I'm not having much look with google or looking in the list archives. This is on a FreeBSD 4.11 system. Thank you, Stephane