From owner-freebsd-questions Thu Oct 4 13:51:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from snipe.mail.pas.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id B2C1737B403 for ; Thu, 4 Oct 2001 13:51:32 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.132.25.Dial1.SanJose1.Level3.net [209.245.132.25]) by snipe.mail.pas.earthlink.net (8.11.5/8.9.3) with ESMTP id f94KpV721839 for ; Thu, 4 Oct 2001 13:51:31 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id f94KpT701537 for freebsd-questions@FreeBSD.ORG; Thu, 4 Oct 2001 13:51:29 -0700 (PDT) (envelope-from cjc) Date: Thu, 4 Oct 2001 13:51:29 -0700 From: "Crist J. Clark" To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw question - hostname/address spec? Message-ID: <20011004135129.E297@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011004071834.A2458@acadia.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011004071834.A2458@acadia.ne.mediaone.net>; from leblanc+freebsd@acadia.ne.mediaone.net on Thu, Oct 04, 2001 at 07:18:35AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Oct 04, 2001 at 07:18:35AM -0400, Louis LeBlanc wrote: > Hey all. I have a question about ipfw. I am under the impression > that it is ok to use a dns name for src or dest, as in the following > excerpt from my rc.firewall - IPADDR gets defined correctly, and > NEWS_SERVER is defined as news.ne.mediaone.net: > > ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \ > via $EXT_INTERFACE out > > ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \ > via $EXT_INTERFACE in established > > but I get the following when testing the script: > > ipfw: error: hostname ``news.ne.mediaone.net'' unknown [snip] > A similar error dump is generated for each rule using a hostname. > > I have opened the dns ports by IP prior to using any hostnames. So, if you type, % dig news.ne.mediaone.net Before you run the script, it works? Even if it does, there would not happen to be an 'ipfw -f flush' rule at the top of your script? Are the DNS port opened up in the script before these rules with hostnames? Look up the names in the script right before the rules to see if they work, host $NEWS_SERVER ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \ via $EXT_INTERFACE out ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \ via $EXT_INTERFACE in established -- Crist J. Clark cjclark@alum.mit.edu cjclark@jhu.edu cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message