From owner-freebsd-questions  Wed Mar 20  8: 4:10 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from icarus.slightlystrange.org (icarus.slightlystrange.org [62.190.193.173])
	by hub.freebsd.org (Postfix) with ESMTP id 516D037B41C
	for <freebsd-questions@freebsd.org>; Wed, 20 Mar 2002 08:03:51 -0800 (PST)
Received: from danielby by icarus.slightlystrange.org with local (Exim 3.12 #1 (Debian))
	id 16niZ4-0007Pz-00
	for <freebsd-questions@FreeBSD.ORG>; Wed, 20 Mar 2002 16:03:50 +0000
Date: Wed, 20 Mar 2002 16:03:50 +0000
From: Daniel Bye <dan@slightlystrange.org>
To: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfw rules
Message-ID: <20020320160349.GB27566@icarus.slightlystrange.org>
Reply-To: dan@slightlystrange.org
Mail-Followup-To: freebsd-questions@FreeBSD.ORG
References: <3C992774.D763B085@froekjaer.org> <Pine.GSO.4.33.0203201646400.12073-100000@bark>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.33.0203201646400.12073-100000@bark>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Mar 20, 2002 at 04:49:51PM +0100, Paul Everlund wrote:
> On Wed, 20 Mar 2002, Flemming Fr?kjk?r wrote:
> 
> > I'm trying to build a firewall based on the simple firewall in the
> > rc.firewall script
> > after enabling the firewall I can't look up any addresses. If I use
> > nslookup it just times out :(
> > I can add a rule like this: ipfw add 9999 pass all from any to any
> > Then everything works, but the firewall does not do me any good :(
> > what rules should I add to make DNS work?
> 
> You must let DNS queries UDP out to port 53, and also let them back in
> from port 53. Also DNS TCP out to port 53 should be allowed (I think).
> Something like this:
> 


What follows comes from my rather addled memory, so forgive me if it's not
quite right ;-)

You should only need to allow TCP/53 if you need to obtain zone transfers,
if you are running your own name server, for example.  Basic DNS host lookups
take place over the UDP sockets, so just the first two of the rules provided
by Paul should be necessary.  (There is probably no harm in allowing TCP/53 
out, in any event, so long as you don't allow it IN unbidden.)


> ipfw add allow udp from any to DNS-IP 53 out via INTERFACE
> ipfw add allow udp from DNS-IP 53 to any in via INTERFACE
> ipfw add allow tcp from any to DNS-IP 53 out via INTERFACE
> 
> Good luck!
> 
> Best regards,
> Paul
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

Dan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message