Date: 27 Oct 2002 18:29:16 +0000 From: Stacey Roberts <stacey@Demon.vickiandstacey.com> To: Ruben de Groot <fbsd-q@bzerk.org> Cc: sroberts@dsl.pipex.com, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security Message-ID: <1035743359.65564.12.camel@Demon.vickiandstacey.com> In-Reply-To: <20021027160633.GA12903@ei.bzerk.org> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-RqRnGLdU6lxO5QasogP2
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Okay,
I've been hacking about with my ipfw rules in order to nail this
down, but I'm still coming up against a wall here..,=20
I've made this change:
# Allow out access to Internet Domain name server
$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup
keep-state=20
#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup
keep-state <=3D=3D=3D=3D <COMMENTED THIS OUT>
$fwcmd add 00618 allow udp from any to any 53 out via $oif
^
|
PUT THIS IN INSTEAD
Now I try to query a root-server, I still get stopped by the firewall:
# date
Sun Oct 27 18:19:35 GMT 2002
# dig . ns @b.root-servers.net
; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed
out
Checking logs:
# tail /var/log/security
<snip>
Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53
192.168.1.8:1642 in via sis0
#=20
The previous posted (see below) informed me that using setup /
keep-state with udp is wrong. Given the changes I've made above, what
are the magic statements to allow my to query the root servers and allow
their responses back in?
TIA
Stacey
On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:
<snip>
> >=20
> > Verifying relevant ipfw rules:
> > # Allow out access to Internet Domain name server
> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> > keep-state=20
> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> > keep-state
>=20
> This last rule is bogus. From ipfw(8):
>=20
> setup Matches TCP packets that have the SYN bit set but no ACK bit=
.
> This is the short form of ``tcpflags syn,!ack''.
>=20
> "setup" is not supposed to work for UDP packets. there is no handshake as=
=20
> in tcp connections.
>=20
>=20
> >=20
> > Checking ipfw rule 910:
> > $fwcmd add 00910 deny log logamount 500 ip from any to any
> >=20
> > Why am I not able to query root servers, given my rules 00618 & 00619?=20
> >=20
> > I'd appreciate someone helping me out here., (or hitting me over the
> > head if I'm missing something simple and glaringly obvious)
> >=20
> > TIA=20
> >=20
> > Stacey
> >=20
> >=20
> >=20
> > --=20
> > Stacey Roberts
> > B.Sc (HONS) Computer Science
> >=20
> > Web: www.vickiandstacey.com
> >=20
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--=20
Stacey Roberts
B.Sc (HONS) Computer Science
Web: www.vickiandstacey.com
--=-RqRnGLdU6lxO5QasogP2
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQEVAwUAPbwwepvQeubckvvXAQHWUggAkEViT0GpnUueMA/JlTe00DhOk0B1j5PM
oKxJCd/IAvGVnio0hvjsdn7yLDQs88hhA+RgoJkHepe7WRs1wGRTMHFmFmlDg/mP
RFvArFERaFcaWAxlpmDdiFkD+tyo850fS/pGpcgS4mfkpvC4aAnTl2/cHLyiBg8x
XLhzzf1LbO449Cfkg/sHRyAltqgnPO+2NassE/VOIdKhaXdvFd698gPyAn7FO0WH
V/J4QHpcL/Cuy+jeVGnbT3baXuIpvUILmuftRYC7robOymt2TiYbbgBQuYXPWIv5
3JR4w3gvm4y82py96SJZob9eFF6JZ8BUFHUzePjje7aqBLbfB6vBsg==
=Dqss
-----END PGP SIGNATURE-----
--=-RqRnGLdU6lxO5QasogP2--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1035743359.65564.12.camel>