From owner-freebsd-questions Wed Jan 6 19:06:44 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA19228 for freebsd-questions-outgoing; Wed, 6 Jan 1999 19:06:44 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from yusufg.portal2.com (yusufg.portal2.com [203.85.226.249]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA19209 for ; Wed, 6 Jan 1999 19:06:39 -0800 (PST) (envelope-from yusufg@huge.net) Received: (qmail 25137 invoked by uid 500); 7 Jan 1999 03:06:48 -0000 From: "Yusuf Goolamabbas" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <13972.9416.159858.358940@yusufg.portal2.com> Date: Thu, 7 Jan 1999 11:06:48 +0800 (CST) To: Mike Meyer Cc: freebsd-questions@FreeBSD.ORG Subject: IPFW prob (was Re: How to allow incoming DNS via 'client' prof in rc.firewall) In-Reply-To: References: <19990106205928.A23282@huge.net> X-Mailer: VM 6.61 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mike, I really appreciate your efforts. Though I am convinced your rulesets should work, I still have the problem of external DNS queries Here is the relevant section of my rc.firewall file Thanks, Yusuf ---------------------------------------------------------------------- $fwcmd add 100 pass all from any to any via lo0 $fwcmd add 200 deny all from any to 127.0.0.0/8 # Allow any traffic to or from my own net. $fwcmd add pass all from ${ip} to ${net}:${mask} $fwcmd add pass all from ${net}:${mask} to ${ip} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email $fwcmd add pass tcp from any to ${ip} 25 setup # Allow access to our DNS (tcp) $fwcmd add pass tcp from any to ${ip} 53 setup $fwcmd add pass tcp from ${ip} to any 53 # Allow setup of outgoing TCP connections only $fwcmd add pass tcp from ${ip} to any setup # Disallow setup of all other TCP connections $fwcmd add deny tcp from any to any setup # Allow access to our DNS (udp) $fwcmd add pass udp from any to ${ip} 53 # Allow DNS queries out in the world $fwcmd add pass udp from ${ip} to any 53 # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${ip} $fwcmd add pass udp from ${ip} to any 123 # Everything else is denied as default. ---------------------------------------------------------------------- Hmm - I missed one. Seems that DNS runs on both UDP and TCP. Try adding those two as well: /sbin/ipfw add pass tcp from any to ${ip} 53 /sbin/ipfw add pass tcp from ${ip} any to 53 Note that you need to allow both "setup" and "established" (you were working with those before), so you might as well allow both. If you've already got /sbin/ipfw add pass tcp from any to any established you can add "setup" to the above two lines for slightly tighter control. Date: Wed, 6 Jan 1999 20:59:28 +0800 > From: Yusuf Goolamabbas > To: Mike Meyer > Cc: freebsd-questions@FreeBSD.ORG > Subject: Re: How to allow incoming DNS via 'client' prof in rc.firewall > > > You need to allow both incoming and outgoing packets, and for udp, not > > tcp. Try: > > > > /sbin/ipfw add pass udp from any to ${ip} 53 > > /sbin/ipfw add pass udp from ${ip} to any 53 > > Hi Mike, I added the first rule (second rule is their as part of > "client"). However. I get no response when queried from external network > > Anything, I could be doing wrong still ? > > > > > > > > -- > Yusuf Goolamabbas > yusufg@huge.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message