From owner-freebsd-questions Sun Oct 27 10:29:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90A2337B401 for ; Sun, 27 Oct 2002 10:29:18 -0800 (PST) Received: from shockwave.systems.pipex.net (shockwave.systems.pipex.net [62.241.160.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6FE343E3B for ; Sun, 27 Oct 2002 10:29:17 -0800 (PST) (envelope-from stacey@Demon.vickiandstacey.com) Received: from Demon (81-86-129-77.dsl.pipex.com [81.86.129.77]) by shockwave.systems.pipex.net (Postfix) with ESMTP id 853BD16001885; Sun, 27 Oct 2002 18:29:13 +0000 (GMT) Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security From: Stacey Roberts Reply-To: sroberts@dsl.pipex.com To: Ruben de Groot Cc: sroberts@dsl.pipex.com, FreeBSD Questions In-Reply-To: <20021027160633.GA12903@ei.bzerk.org> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-RqRnGLdU6lxO5QasogP2" X-Mailer: Ximian Evolution 1.0.8 Date: 27 Oct 2002 18:29:16 +0000 Message-Id: <1035743359.65564.12.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-RqRnGLdU6lxO5QasogP2 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here..,=20 I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state=20 #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state <=3D=3D=3D=3D $fwcmd add 00618 allow udp from any to any 53 out via $oif ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 #=20 The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > >=20 > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state=20 > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state >=20 > This last rule is bogus. From ipfw(8): >=20 > setup Matches TCP packets that have the SYN bit set but no ACK bit= . > This is the short form of ``tcpflags syn,!ack''. >=20 > "setup" is not supposed to work for UDP packets. there is no handshake as= =20 > in tcp connections. >=20 >=20 > >=20 > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > >=20 > > Why am I not able to query root servers, given my rules 00618 & 00619?=20 > >=20 > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > >=20 > > TIA=20 > >=20 > > Stacey > >=20 > >=20 > >=20 > > --=20 > > Stacey Roberts > > B.Sc (HONS) Computer Science > >=20 > > Web: www.vickiandstacey.com > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com --=-RqRnGLdU6lxO5QasogP2 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPbwwepvQeubckvvXAQHWUggAkEViT0GpnUueMA/JlTe00DhOk0B1j5PM oKxJCd/IAvGVnio0hvjsdn7yLDQs88hhA+RgoJkHepe7WRs1wGRTMHFmFmlDg/mP RFvArFERaFcaWAxlpmDdiFkD+tyo850fS/pGpcgS4mfkpvC4aAnTl2/cHLyiBg8x XLhzzf1LbO449Cfkg/sHRyAltqgnPO+2NassE/VOIdKhaXdvFd698gPyAn7FO0WH V/J4QHpcL/Cuy+jeVGnbT3baXuIpvUILmuftRYC7robOymt2TiYbbgBQuYXPWIv5 3JR4w3gvm4y82py96SJZob9eFF6JZ8BUFHUzePjje7aqBLbfB6vBsg== =Dqss -----END PGP SIGNATURE----- --=-RqRnGLdU6lxO5QasogP2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message