From owner-freebsd-questions@FreeBSD.ORG Sun Jan 18 10:23:59 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7144316A4CE; Sun, 18 Jan 2004 10:23:59 -0800 (PST) Received: from out010.verizon.net (out010pub.verizon.net [206.46.170.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA6EB43D45; Sun, 18 Jan 2004 10:23:57 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com ([68.161.129.47]) by out010.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040118182357.PWDL26012.out010.verizon.net@mac.com>; Sun, 18 Jan 2004 12:23:57 -0600 Message-ID: <400ACF39.4000609@mac.com> Date: Sun, 18 Jan 2004 13:23:53 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031208 X-Accept-Language: en-us, en MIME-Version: 1.0 To: fbsd_user@a1poweruser.com References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out010.verizon.net from [68.161.129.47] at Sun, 18 Jan 2004 12:23:56 -0600 cc: freebsd-ipfw@freebsd.org cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: 5.2 + ipfw2 + keep-state rules Bug X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2004 18:23:59 -0000 fbsd_user wrote: > Using an fresh install of FBSD 5.2 RC2 I am trying to > get stateful rules to function. > For some reason ipfw2 seems to be issuing an ICMP:3.3 > packet to my ISP's dns. [ ... ] > # Internal gateway housekeeping > $cmd 00100 allow all from any to any via lo0 # allow all localhost > $cmd 00105 allow all from any to any via xl0 # allow all local Lan > $cmd 00110 check-state log logamount 500 > $cmd 00150 divert natd all from any to any > $cmd 00170 count log logamount 500 all from any to any > $cmd 00310 allow log logamount 500 tcp from any to any 53 out via > rl0 setup keep-state > $cmd 00311 allow log logamount 500 udp from any to any 53 out via > rl0 keep-state > $cmd 00315 allow log logamount 500 tcp from any to any 80 out via > rl0 setup keep-state > $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 > keep-state > $cmd 00500 deny log logamount 500 all from any to any Something like the following would be better in terms of DNS and not blocking essential types of ICMP traffic: allow tcp from any to any 53 out via rl0 setup keep-state allow udp from any to any 53 allow icmp from any to any icmptypes 0,3,4,8,11,12 This allows bidirectional UDP-based DNS queries, but only outbound long (TCP-based) DNS queries like zone-transfers. YMMV, and it may not solve your problem-- it looked like your queries were coming from an internal host (10.0.10.5) using NAT? Are you sure that natd is okay? Maybe put the divert statement before the "check-state" rule? -- -Chuck