From owner-freebsd-questions@FreeBSD.ORG Mon Aug 19 06:07:06 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 489B7EBA for ; Mon, 19 Aug 2013 06:07:06 +0000 (UTC) (envelope-from vagabond@blackfoot.net) Received: from nightmare.dreamchaser.org (nightmare.dreamchaser.org [12.32.44.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 634962453 for ; Mon, 19 Aug 2013 06:07:03 +0000 (UTC) Received: from breakaway.dreamchaser.org (breakaway.dreamchaser.org. [12.32.36.73]) by nightmare.dreamchaser.org (8.13.6/8.13.6) with ESMTP id r7J66Pdo070658 for ; Mon, 19 Aug 2013 00:06:39 -0600 (MDT) (envelope-from vagabond@blackfoot.net) Message-ID: <5211B5E1.6040000@blackfoot.net> Date: Mon, 19 Aug 2013 00:06:25 -0600 From: Gary Aitken User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130730 Thunderbird/17.0.7 MIME-Version: 1.0 To: FreeBSD Mailing List Subject: ipfw confusion Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (nightmare.dreamchaser.org [12.32.36.65]); Mon, 19 Aug 2013 00:06:39 -0600 (MDT) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2013 06:07:06 -0000 I'm having some weird ipfw behavior, or it seems weird to me, and am looking for an explaination and then a way out. ipfw list ... 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup keep-state 21129 allow tcp from any to 12.32.36.65 dst-port 53 in via tun0 setup keep-state ... 65534 deny log logamount 5 ip from any to any tail -f messages Aug 18 23:33:06 nightmare named[914]: client 188.231.152.46#63877: error sending response: permission denied 12.32.36.65 is the addr of the internal interface (xl0) on the firewall and is the public dns server. 12.32.44.142 is the addr of the external interface (tun0) which is bridged on a dsl line. It appears that a dns request was allowed in, but the response was not allowed back out. It seems to me the above rules 21109 and 21129 should have allowed the request in and the response back out. It's possible a request could come in on 12.32.44.142, which is why 21109 is present; although I know I am getting failures to reply to refresh requests from a secondary addressed to 12.32.36.65 What am I missing? Is there a problem if the incoming rule is for tun0, which gets passed to named since 12.32.44.142 is on the physical machine running named, but named pumps its response out on 12.32.36.65, relying on routing to get it to the right place, and that fails to match the state tracking mechanism which started with 12.32.44.142?