From owner-freebsd-questions Wed Mar 20 8: 4:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from icarus.slightlystrange.org (icarus.slightlystrange.org [62.190.193.173]) by hub.freebsd.org (Postfix) with ESMTP id 516D037B41C for ; Wed, 20 Mar 2002 08:03:51 -0800 (PST) Received: from danielby by icarus.slightlystrange.org with local (Exim 3.12 #1 (Debian)) id 16niZ4-0007Pz-00 for ; Wed, 20 Mar 2002 16:03:50 +0000 Date: Wed, 20 Mar 2002 16:03:50 +0000 From: Daniel Bye To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <20020320160349.GB27566@icarus.slightlystrange.org> Reply-To: dan@slightlystrange.org Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <3C992774.D763B085@froekjaer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Mar 20, 2002 at 04:49:51PM +0100, Paul Everlund wrote: > On Wed, 20 Mar 2002, Flemming Fr?kjk?r wrote: > > > I'm trying to build a firewall based on the simple firewall in the > > rc.firewall script > > after enabling the firewall I can't look up any addresses. If I use > > nslookup it just times out :( > > I can add a rule like this: ipfw add 9999 pass all from any to any > > Then everything works, but the firewall does not do me any good :( > > what rules should I add to make DNS work? > > You must let DNS queries UDP out to port 53, and also let them back in > from port 53. Also DNS TCP out to port 53 should be allowed (I think). > Something like this: > What follows comes from my rather addled memory, so forgive me if it's not quite right ;-) You should only need to allow TCP/53 if you need to obtain zone transfers, if you are running your own name server, for example. Basic DNS host lookups take place over the UDP sockets, so just the first two of the rules provided by Paul should be necessary. (There is probably no harm in allowing TCP/53 out, in any event, so long as you don't allow it IN unbidden.) > ipfw add allow udp from any to DNS-IP 53 out via INTERFACE > ipfw add allow udp from DNS-IP 53 to any in via INTERFACE > ipfw add allow tcp from any to DNS-IP 53 out via INTERFACE > > Good luck! > > Best regards, > Paul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message Dan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message