From owner-freebsd-ipfw@FreeBSD.ORG  Wed May 18 16:52:02 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7760516A4CE
	for <freebsd-ipfw@freebsd.org>; Wed, 18 May 2005 16:52:02 +0000 (GMT)
Received: from mx1.enertiatech.com (h204-9-110-143.enertiatech.com
	[204.9.110.143])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CA96E43D99
	for <freebsd-ipfw@freebsd.org>; Wed, 18 May 2005 16:52:01 +0000 (GMT)
	(envelope-from stephane@enertiasoft.com)
Received: from localhost (localhost [127.0.0.1])
	by mx1.enertiatech.com (Postfix) with ESMTP id 663826295
	for <freebsd-ipfw@freebsd.org>; Wed, 18 May 2005 10:51:05 -0600 (MDT)
Received: from mx1.enertiatech.com ([127.0.0.1])
 by localhost (mx1.enertiatech.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 80209-05 for <freebsd-ipfw@freebsd.org>;
 Wed, 18 May 2005 10:50:48 -0600 (MDT)
Received: from [10.0.0.34] (h10-0-0-34.enertiasoft.com [10.0.0.34])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(No client certificate requested)
	by mx1.enertiatech.com (Postfix) with ESMTP id CD7B562AB
	for <freebsd-ipfw@freebsd.org>; Wed, 18 May 2005 10:50:48 -0600 (MDT)
Mime-Version: 1.0 (Apple Message framework v730)
To: freebsd-ipfw@freebsd.org
Message-Id: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com>
From: Stephane Raimbault <stephane@enertiasoft.com>
Date: Wed, 18 May 2005 10:51:37 -0600
X-Mailer: Apple Mail (2.730)
X-Virus-Scanned: amavisd-new at enertiasoft.com
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.1
Subject: named error sending response: permision denied
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2005 16:52:02 -0000

Hi,

I've been noticing lots of errors in my /var/log/messages reporting  
named errors:

May 18 06:45:14 enertia1 named[8320]: client 204.9.110.133#1829:  
error sending response: permission denied
May 18 06:45:14 enertia1 named[8320]: client 204.9.110.133#1993:  
error sending response: permission denied
May 18 06:45:19 enertia1 named[8320]: client 204.9.110.132#3123:  
error sending response: permission denied
May 18 06:45:22 enertia1 named[8320]: client 204.9.110.143#61370:  
error sending response: permission denied
May 18 06:46:21 enertia1 named[8320]: client 204.9.110.133#3529:  
error sending response: permission denied

I also noticed these errors in my ipfw.log file:

May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
63.252.160.219:53 204.9.110.134:3371 in via vlan1
May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
63.252.160.219:53 204.9.110.134:1420 in via vlan1
May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
63.252.160.219:53 204.9.110.134:2961 in via vlan1
May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
63.252.160.219:53 204.9.110.134:4701 in via vlan1


For some reason, it seems like ipfw is kaboshing some of the dns  
queries going thru the server.  Queries seem to work as far as I can  
tell, but randomly I get the above error messags.  I believe this is  
a fairly heavily loaded dns server amongst other services.

Here are my ipfw rules for the dns:

/etc/rc.firewall.rules

fwcmd="/sbin/ipfw -q"
ip2=204.9.110.134
${fwcmd} add pass tcp from any to ${ip2} 53 setup
${fwcmd} add pass udp from any to ${ip2} 53 keep-state


I'm suspecting I'm hitting some sort of tunable (hopefully) ipfw  
limit.  Can anyone provide me some insight on this... I'm not having  
much look with google or looking in the list archives.

This is on a FreeBSD 4.11 system.

Thank you,
Stephane