From owner-freebsd-questions Sun Oct 27 8:48:41 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A44037B401 for ; Sun, 27 Oct 2002 08:48:37 -0800 (PST) Received: from colossus.systems.pipex.net (colossus.systems.pipex.net [62.241.160.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AF8C43E7B for ; Sun, 27 Oct 2002 08:48:36 -0800 (PST) (envelope-from stacey@Demon.vickiandstacey.com) Received: from Demon (81-86-129-77.dsl.pipex.com [81.86.129.77]) by colossus.systems.pipex.net (Postfix) with ESMTP id 681A4160000A2; Sun, 27 Oct 2002 16:48:32 +0000 (GMT) Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security From: Stacey Roberts Reply-To: sroberts@dsl.pipex.com To: Ruben de Groot Cc: sroberts@dsl.pipex.com, FreeBSD Questions In-Reply-To: <20021027160633.GA12903@ei.bzerk.org> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-xkiIa/9qjbdnvjnJk8Tw" X-Mailer: Ximian Evolution 1.0.8 Date: 27 Oct 2002 16:48:34 +0000 Message-Id: <1035737316.394.47.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-xkiIa/9qjbdnvjnJk8Tw Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Ruben, Thanks much for the reply - comments inline..., > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state=20 > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state >=20 > This last rule is bogus. From ipfw(8): >=20 > setup Matches TCP packets that have the SYN bit set but no ACK bit= . > This is the short form of ``tcpflags syn,!ack''. >=20 > "setup" is not supposed to work for UDP packets. there is no handshake as= =20 > in tcp connections. Okay, I see what you mean about rule 00619 (probably explains why this rule never appears in ipfw l), and as such, I have three questions based on rule 00619 being bogus: 1] Is this the reason why I am unable to query root-servers? 2] Do I remove it completely - would ipfw still be secure without it completely? 3] If not, should I just amend as: $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state Based on ipfw (8): ####################################################################### A similar approach can be used for UDP, where an UDP packet coming from the inside will install a dynamic rule to let the response through the firewall: ipfw add check-state ipfw add allow udp from my-subnet to any ipfw add deny udp from any to any ######################################################################## $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state CHANGE TO: $fwcmd add allow udp from any to any 53 out via $oif $fwcmd add deny udp from any to any 53 in via $oif I'm basing the above amendments based on: I have a check-state at rule 00500 From the make up of my rule-set, I do not have a rule and explicitly denies udp to port 53 per-se. More clearly, I have these deny rules in place at the moment: $ grep -i deny fwrules=20 $fwcmd add 00020 deny log ip from me to any in $fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin $fwcmd add 00100 deny udp from any to any 520 in via $oif $fwcmd add 00502 deny all from any to any frag $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00850 deny log ip from me to me in via $oif $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $fwcmd add 00900 deny log all from any to any in via $oif $fwcmd add 00910 deny log logamount 500 ip from any to any $=20 None of which explicitly applies to DNS. I make this point as there *are* udp packets I want to allow in via $oif - 137 - 139 Thanks again for the reply Ruben. If I'm not clear enough in my explanations, I'm quite happy to post my complete rule-set to you (off-list) if you need it to get a better picture. Cheers! Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > On Sun, Oct 27, 2002 at 03:24:07PM +0000, Stacey Roberts typed: > > Hello, > > I don't know if this is related to post earlier today [FBSD 4.7 > > reset itself - lots of "DENY UDP" messages in /var/log/security], but > > I've been trying to trouble shoot the "DENY" messages in > > /var/log/security using dig: > >=20 > > # dig . ns @b.root-servers.net > >=20 > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20 > > ; (1 server found) > > ;; res options: init recurs defnam dnsrch > > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > > refused > > #=20 > > I get connection refused for this. Checking security: > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 > > 128.9.0.107:53 out via sis0 > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 > > 128.9.0.107:53 out via sis0 > > #=20 > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > >=20 > > Why am I not able to query root servers, given my rules 00618 & 00619?=20 > >=20 > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > >=20 > > TIA=20 > >=20 > > Stacey > >=20 > >=20 > >=20 > > --=20 > > Stacey Roberts > > B.Sc (HONS) Computer Science > >=20 > > Web: www.vickiandstacey.com > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com --=-xkiIa/9qjbdnvjnJk8Tw Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPbwY4JvQeubckvvXAQFS7Af+IWZkQAzFQJ/TVDzYSuN+zxfQgi/aFgYC L+Nr6wsB5fZf94PI2zBw/NrhDcm0mL5LV13ou/6V287PxGMSSUOplIBM/C+62CG6 evbqYGgA10rF8XHlV3bkRFA+8MP8fycX7E94nkxBEA6mDzSrAkCG7HtzB2XM4Fws ZRTt7i9dy8O6LqCjeayJnok6BCv29bEM5qg/FpyBjtNl0Wume1cyf0qi3Z/uTw/t knNrocoFYPnwfG5ZFUsR9eRmdePsW9D3J6AiEpgNA297Jo/YBrAsD4NwNrRHVTwE h6Llq4NAmtDO6qNydgoJy75B7XpJ3Rv+eiJbOTSD6fs9VoHDS6LBNw== =kIk3 -----END PGP SIGNATURE----- --=-xkiIa/9qjbdnvjnJk8Tw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message