From owner-freebsd-questions@FreeBSD.ORG Mon Aug 19 21:15:29 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 04EF15DF for ; Mon, 19 Aug 2013 21:15:29 +0000 (UTC) (envelope-from vagabond@blackfoot.net) Received: from nightmare.dreamchaser.org (nightmare.dreamchaser.org [12.32.44.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id A36C42949 for ; Mon, 19 Aug 2013 21:15:28 +0000 (UTC) Received: from breakaway.dreamchaser.org (breakaway.dreamchaser.org. [12.32.36.73]) by nightmare.dreamchaser.org (8.13.6/8.13.6) with ESMTP id r7JLFDCT073735; Mon, 19 Aug 2013 15:15:14 -0600 (MDT) (envelope-from vagabond@blackfoot.net) Message-ID: <52128AE1.8000102@blackfoot.net> Date: Mon, 19 Aug 2013 15:15:13 -0600 From: Gary Aitken User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130730 Thunderbird/17.0.7 MIME-Version: 1.0 To: FreeBSD Mailing List Subject: Re: ipfw confusion References: <5211B5E1.6040000@blackfoot.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (nightmare.dreamchaser.org [12.32.36.65]); Mon, 19 Aug 2013 15:15:14 -0600 (MDT) Cc: lists.dan@gmail.com, OpenSlate ChalkDust X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Aug 2013 21:15:29 -0000 On 08/19/13 11:53, OpenSlate ChalkDust wrote: > On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken wrote: > >> I'm having some weird ipfw behavior, or it seems weird to me, and am >> looking >> for an explaination and then a way out. >> >> ipfw list >> ... >> 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup >> keep-state >> 21129 allow tcp from any to 12.32.36.65 dst-port 53 in via tun0 setup >> keep-state >> ... >> 65534 deny log logamount 5 ip from any to any >> >> tail -f messages >> Aug 18 23:33:06 nightmare named[914]: client 188.231.152.46#63877: error >> sending response: permission denied >> >> 12.32.36.65 is the addr of the internal interface (xl0) on the firewall >> and is the public dns server. >> 12.32.44.142 is the addr of the external interface (tun0) which is bridged >> on a >> dsl line. >> >> It appears that a dns request was allowed in, but the response was not >> allowed >> back out. It seems to me the above rules 21109 and 21129 should have >> allowed >> the request in and the response back out. >> >> It's possible a request could come in on 12.32.44.142, >> which is why 21109 is present; >> although I know I am getting failures to reply to refresh requests >> from a secondary addressed to 12.32.36.65 >> >> What am I missing? >> >> I think you need explict rules like > > nnnnn allow tcp from 12.32.44.142 to any dst-port 53 out via tun0 setup > keep-state Why would rules like that be necessary, given the conversation is initiated from the outside? Shouldn't "setup keep-state" let the whole conversation, both directions, through? On 08/19/13 13:36, Dan Lists wrote: > Do you have a check-state rule earlier in your rules? > > 1000 check-state Yes: 00500 check-state