Date: 27 Oct 2002 16:48:34 +0000 From: Stacey Roberts <stacey@Demon.vickiandstacey.com> To: Ruben de Groot <fbsd-q@bzerk.org> Cc: sroberts@dsl.pipex.com, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security Message-ID: <1035737316.394.47.camel@Demon.vickiandstacey.com> In-Reply-To: <20021027160633.GA12903@ei.bzerk.org> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-xkiIa/9qjbdnvjnJk8Tw Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Ruben, Thanks much for the reply - comments inline..., > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state=20 > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state >=20 > This last rule is bogus. From ipfw(8): >=20 > setup Matches TCP packets that have the SYN bit set but no ACK bit= . > This is the short form of ``tcpflags syn,!ack''. >=20 > "setup" is not supposed to work for UDP packets. there is no handshake as= =20 > in tcp connections. Okay, I see what you mean about rule 00619 (probably explains why this rule never appears in ipfw l), and as such, I have three questions based on rule 00619 being bogus: 1] Is this the reason why I am unable to query root-servers? 2] Do I remove it completely - would ipfw still be secure without it completely? 3] If not, should I just amend as: <BEFORE> $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state <AFTER> Based on ipfw (8): ####################################################################### A similar approach can be used for UDP, where an UDP packet coming from the inside will install a dynamic rule to let the response through the firewall: ipfw add check-state ipfw add allow udp from my-subnet to any ipfw add deny udp from any to any ######################################################################## $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state CHANGE TO: $fwcmd add allow udp from any to any 53 out via $oif $fwcmd add deny udp from any to any 53 in via $oif I'm basing the above amendments based on: I have a check-state at rule 00500 From the make up of my rule-set, I do not have a rule and explicitly denies udp to port 53 per-se. More clearly, I have these deny rules in place at the moment: $ grep -i deny fwrules=20 $fwcmd add 00020 deny log ip from me to any in $fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin $fwcmd add 00100 deny udp from any to any 520 in via $oif $fwcmd add 00502 deny all from any to any frag $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00850 deny log ip from me to me in via $oif $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $fwcmd add 00900 deny log all from any to any in via $oif $fwcmd add 00910 deny log logamount 500 ip from any to any $=20 None of which explicitly applies to DNS. I make this point as there *are* udp packets I want to allow in via $oif - 137 - 139 Thanks again for the reply Ruben. If I'm not clear enough in my explanations, I'm quite happy to post my complete rule-set to you (off-list) if you need it to get a better picture. Cheers! Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > On Sun, Oct 27, 2002 at 03:24:07PM +0000, Stacey Roberts typed: > > Hello, > > I don't know if this is related to post earlier today [FBSD 4.7 > > reset itself - lots of "DENY UDP" messages in /var/log/security], but > > I've been trying to trouble shoot the "DENY" messages in > > /var/log/security using dig: > >=20 > > # dig . ns @b.root-servers.net > >=20 > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20 > > ; (1 server found) > > ;; res options: init recurs defnam dnsrch > > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > > refused > > #=20 > > I get connection refused for this. Checking security: > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP <snip>:1381 > > 128.9.0.107:53 out via sis0 > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1<snip>:1382 > > 128.9.0.107:53 out via sis0 > > #=20 <snip> > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > >=20 > > Why am I not able to query root servers, given my rules 00618 & 00619?=20 > >=20 > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > >=20 > > TIA=20 > >=20 > > Stacey > >=20 > >=20 > >=20 > > --=20 > > Stacey Roberts > > B.Sc (HONS) Computer Science > >=20 > > Web: www.vickiandstacey.com > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com --=-xkiIa/9qjbdnvjnJk8Tw Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPbwY4JvQeubckvvXAQFS7Af+IWZkQAzFQJ/TVDzYSuN+zxfQgi/aFgYC L+Nr6wsB5fZf94PI2zBw/NrhDcm0mL5LV13ou/6V287PxGMSSUOplIBM/C+62CG6 evbqYGgA10rF8XHlV3bkRFA+8MP8fycX7E94nkxBEA6mDzSrAkCG7HtzB2XM4Fws ZRTt7i9dy8O6LqCjeayJnok6BCv29bEM5qg/FpyBjtNl0Wume1cyf0qi3Z/uTw/t knNrocoFYPnwfG5ZFUsR9eRmdePsW9D3J6AiEpgNA297Jo/YBrAsD4NwNrRHVTwE h6Llq4NAmtDO6qNydgoJy75B7XpJ3Rv+eiJbOTSD6fs9VoHDS6LBNw== =kIk3 -----END PGP SIGNATURE----- --=-xkiIa/9qjbdnvjnJk8Tw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1035737316.394.47.camel>