Date: Wed, 6 Jan 1999 19:36:37 -0800 (PST) From: Mike Meyer <mwm@phone.net> To: Yusuf Goolamabbas <yusufg@huge.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW prob (was Re: How to allow incoming DNS via 'client' prof in rc.firewall) Message-ID: <Pine.BSF.4.05.9901061935290.25797-100000@guru.phone.net> In-Reply-To: <13972.9416.159858.358940@yusufg.portal2.com>
next in thread | previous in thread | raw e-mail | index | archive | help
1) Do local DNS queries work (I expect the answer to be yes, but let's check)?
2) Instead of listing the ruleset you feed it, send the output of
/sbin/ipfw l.
<mike
On Thu, 7 Jan 1999, Yusuf Goolamabbas wrote:
> Date: Thu, 7 Jan 1999 11:06:48 +0800 (CST)
> From: Yusuf Goolamabbas <yusufg@huge.net>
> To: Mike Meyer <mwm@phone.net>
> Cc: freebsd-questions@FreeBSD.ORG
> Subject: IPFW prob (was Re: How to allow incoming DNS via 'client' prof in
rc.firewall)
>
> Mike, I really appreciate your efforts. Though I am convinced your
> rulesets should work, I still have the problem of external DNS queries
>
>
> Here is the relevant section of my rc.firewall file
>
> Thanks, Yusuf
> ----------------------------------------------------------------------
>
>
> $fwcmd add 100 pass all from any to any via lo0
> $fwcmd add 200 deny all from any to 127.0.0.0/8
>
> # Allow any traffic to or from my own net.
>
> $fwcmd add pass all from ${ip} to ${net}:${mask}
> $fwcmd add pass all from ${net}:${mask} to ${ip}
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
>
> # Allow setup of incoming email
> $fwcmd add pass tcp from any to ${ip} 25 setup
>
> # Allow access to our DNS (tcp)
>
> $fwcmd add pass tcp from any to ${ip} 53 setup
> $fwcmd add pass tcp from ${ip} to any 53
>
> # Allow setup of outgoing TCP connections only
> $fwcmd add pass tcp from ${ip} to any setup
>
> # Disallow setup of all other TCP connections
> $fwcmd add deny tcp from any to any setup
>
> # Allow access to our DNS (udp)
> $fwcmd add pass udp from any to ${ip} 53
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from ${ip} to any 53
>
>
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${ip}
> $fwcmd add pass udp from ${ip} to any 123
>
> # Everything else is denied as default.
>
> ----------------------------------------------------------------------
>
>
> Hmm - I missed one. Seems that DNS runs on both UDP and TCP. Try
> adding those two as well:
>
> /sbin/ipfw add pass tcp from any to ${ip} 53
> /sbin/ipfw add pass tcp from ${ip} any to 53
>
> Note that you need to allow both "setup" and "established" (you were
> working with those before), so you might as well allow both. If you've
> already got
>
> /sbin/ipfw add pass tcp from any to any established
>
> you can add "setup" to the above two lines for slightly tighter
> control.
>
> <mike
>
> On Wed, 6 Jan 1999, Yusuf Goolamabbas wrote:
>
> > Date: Wed, 6 Jan 1999 20:59:28 +0800
> > From: Yusuf Goolamabbas <yusufg@huge.net>
> > To: Mike Meyer <mwm@phone.net>
> > Cc: freebsd-questions@FreeBSD.ORG
> > Subject: Re: How to allow incoming DNS via 'client' prof in rc.firewall
> >
> > > You need to allow both incoming and outgoing packets, and for udp, not
> > > tcp. Try:
> > >
> > > /sbin/ipfw add pass udp from any to ${ip} 53
> > > /sbin/ipfw add pass udp from ${ip} to any 53
> >
> > Hi Mike, I added the first rule (second rule is their as part of
> > "client"). However. I get no response when queried from external network
> >
> > Anything, I could be doing wrong still ?
> >
> > >
> > > <mike
> > >
> >
> > --
> > Yusuf Goolamabbas
> > yusufg@huge.net
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9901061935290.25797-100000>