From owner-freebsd-questions Sun Sep 26 23:31:48 1999 Delivered-To: freebsd-questions@freebsd.org Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [212.110.138.1]) by hub.freebsd.org (Postfix) with ESMTP id 9162B151C5 for ; Sun, 26 Sep 1999 23:31:05 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id JAA82258; Mon, 27 Sep 1999 09:29:56 +0300 (EEST) (envelope-from ru) Date: Mon, 27 Sep 1999 09:29:56 +0300 From: Ruslan Ermilov To: Joe Bo Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw, natd and DNS Message-ID: <19990927092956.A76443@relay.ucb.crimea.ua> Mail-Followup-To: Joe Bo , freebsd-questions@FreeBSD.ORG References: <2.2.32.19990926201520.0097ddbc@mail> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: <2.2.32.19990926201520.0097ddbc@mail>; from Joe Bo on Sun, Sep 26, 1999 at 01:15:20PM -0700 X-Operating-System: FreeBSD 3.2-STABLE i386 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Sep 26, 1999 at 01:15:20PM -0700, Joe Bo wrote: > Hi, > > I'm running v3.2 with ipfw and natd on a 2 nic machine > as a gateway for a RFC1918 network of windows PCs. > > I changed the firewall type to "simple", and my internal > network could no longer get internet access. > > of course in rc.firewall I have: > $fwcmd add divert natd all from any to any via ${natd_interface} > as the first line. > > The problem was the port 53 was not getting though. > > when I changed the original lines: > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > to > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to any > $fwcmd add pass udp from any to any 53 > > then it worked. Someone told me it was because I didn't have named > running, so I added and configured that, it is correct I think. > but I still have to have the more open port 53 lines in rc.firewall. > > Can anyone tell me, am I doing something wrong or ??? > > Thanks to all who can respond, > > Joe > Add the following rule $fwcmd deny log ip from any to any as the last rule, and see what is being blocked, then come back with more info. -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message