Date: Thu, 20 Dec 2001 16:22:33 -0600 From: Eric_Stanfield@kenokozie.com To: "Dustin Puryear" <dpuryear@usa.net> Cc: freebsd-isp@FreeBSD.ORG Subject: RE: FreeBSD firewall and DNS Message-ID: <OFC7B9562E.F1A22314-ON86256B28.0079F9EF@kka.com>
next in thread | raw e-mail | index | archive | help
From my firewall machine at home:
# Enable NAT on the external interface
/sbin/ipfw add divert 8668 ip from any to any via xl0
# Allow name queries
/sbin/ipfw add pass udp from any 53 to any
/sbin/ipfw add pass udp from any to any 53
...works like a charm. YMMV
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"Tell them what you know. Tell them what you don't know. And, only then,
tell them what you think."
Eric Stanfield, K2Access
Keno Kozie Associates
222 N LaSalle #1500
Chicago, IL 60606
(312) 332-3000
"Dustin
Puryear" To: <Eric_Stanfield@kenokozie.com>
<dpuryear@usa cc: <freebsd-isp@FreeBSD.ORG>
.net> Subject: RE: FreeBSD firewall and DNS
12/20/2001
04:19 PM
> In all those examples you are allowing queries to be sent TO port 53 of a
> dns server, but you are not allowing replies FROM port 53 of the dns
> server. Which is why your very last rule is the only one that
> makes things
> work. allow udp from any to 10.0.0.5 is allowing the dns server to reply
> form port 53 to your machine at 10.0.0.5.
But isn't that the idea behind keep-state? Shouldn't the rule:
01400 divert 8668 ip from any to any via rl0
...
02900 allow udp from 10.0.0.5 to any 53 keep-state
Do this for us?
> Also, someone else jump in, since when can you keep-state on udp based
> traffic? Maybe I've just forgotten something along the way.
This is from /etc/rc.firewall that came with stock FreeBSD:
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
I am just trying to tweak it for our use. Anyway, this assumes that the DNS
query will originate from the firewall itself I believe. However, our DNS
server is not located on the firewall but on a machine setup via static NAT
inside our private network. Our DNS server has the private IP 10.0.0.5.
All I know is that it is not working, and I can't figure out why. I have a
feeling that it may have to do with NAT, but I'm not sure. From my
perspective it should work.
Anyway, I found that my dynamic rules are a bit funky. It seems that they
are being build for both my private and public IP addresses for the DNS
server:
02700 2 124 (T 0, # 56) ty 0 udp, aa.bb.cc.dd 1487 <-> 66.135.0.10 53
02900 8 1358 (T 0, # 245) ty 0 udp, 10.0.0.5 1487 <-> 66.135.0.10 53
Where aa.bb.cc.dd is my public IP.
Regards, Dustin
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Eric Stanfield, K2Access
> Keno Kozie Associates
> 222 N LaSalle #1500
> Chicago, IL 60606
> (312) 332-3000
>
>
>
>
>
>
> "Dustin Puryear"
>
> <dpuryear@usa.net> To:
> <freebsd-isp@FreeBSD.ORG>
> Sent by: cc:
>
> owner-freebsd-isp@F Subject:
> FreeBSD firewall and DNS
> reeBSD.ORG
>
>
>
>
>
> 12/20/2001 02:54 PM
>
>
>
>
>
>
>
>
> I am having problems configuring a FreeBSD 4.4-RELEASE firewall to allow
a
> DNS server to work. When I say "work" I mean it is unable to
> resolve names.
> Instead, it just times out. Please note that we are using static
> NAT. Also,
> the DNS server is NOT located on the firewall. (On a related
> note, if I run
> a DNS server on the firewall it works.) The DNS server does have a public
> IP
> address via the static NAT mapping, but I would think it should work
> regardless. At least, for resolving names.
>
> Okay, so I have a firewall at 10.0.0.1 private a.b.c.d public. Via NAT
the
> DNS server, which will be for public use, has a private address
> of 10.0.0.5
> and w.x.y.z public. If I install the DNS server on the firewall
> and use the
> rules:
>
> 01500 divert 8668 ip from any to any via rl0
> ...
> 02600 allow udp from a.b.c.d to any 53 keep-state
> 02700 allow tcp from a.b.c.d to any 53 keep-state
>
> The DNS server on the firewall works and can resolve names for
> me. However,
> if I put the DNS server on another internal machine and use the rules:
>
> 01500 divert 8668 ip from any to any via rl0
> ...
> 02800 allow udp from w.x.y.z to any 53 keep-state
> 02900 allow tcp from w.x.y.z to any 53 keep-state
>
> The internal server times out. Okay, so I am thinking that perhaps since
> the
> divert rule comes first I should be using the internal address:
>
> 01500 divert 8668 ip from any to any via rl0
> ...
> 02800 allow udp from 10.0.0.5 to any 53 keep-state
> 02900 allow tcp from 10.0.0.5 to any 53 keep-state
>
> Unfortunately, I get the same result. The DNS server cannot resolve the
> name
> and nslookup eventually times out. Now, I can make it work by adding the
> rule:
>
> 03640 allow udp from any to 10.0.0.5
>
> But why is this necessary? Assuming my DNS server does not need to be
> accessible to external users I should just need to allow the server to
hit
> remote DNS server's and to expect replies via the keep-state. Am I
missing
> something here?
>
> BTW, I am including my full ruleset below just in case.
>
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 allow ip from any to any via nge0
> 00500 deny ip from 10.0.0.0/24 to any in recv rl0
> 00600 deny ip from a.b.c.0/26 to any in recv nge0
> 00700 deny ip from any to 10.0.0.0/8 via rl0
> 00800 deny ip from any to 172.16.0.0/12 via rl0
> 00900 deny ip from any to 192.168.0.0/16 via rl0
> 01000 deny ip from any to 0.0.0.0/8 via rl0
> 01100 deny ip from any to 169.254.0.0/16 via rl0
> 01200 deny ip from any to 192.0.2.0/24 via rl0
> 01300 deny ip from any to 224.0.0.0/4 via rl0
> 01400 deny ip from any to 240.0.0.0/4 via rl0
> 01500 divert 8668 ip from any to any via rl0
> 01600 deny ip from 10.0.0.0/8 to any via rl0
> 01700 deny ip from 172.16.0.0/12 to any via rl0
> 01800 deny ip from 192.168.0.0/16 to any via rl0
> 01900 deny ip from 0.0.0.0/8 to any via rl0
> 02000 deny ip from 169.254.0.0/16 to any via rl0
> 02100 deny ip from 192.0.2.0/24 to any via rl0
> 02200 deny ip from 224.0.0.0/4 to any via rl0
> 02300 deny ip from 240.0.0.0/4 to any via rl0
> 02400 allow tcp from any to any established
> 02500 allow ip from any to any frag
> 02600 allow udp from a.b.c.d to any 53 keep-state # for DNS on firewall
> 02700 allow tcp from a.b.c.d to any 53 keep-state # ""
> 02800 allow udp from w.x.y.z to any 53 keep-state # for DNS on
> another box
> 02900 allow tcp from w.x.y.z to any 53 keep-state # ""
> 03000 allow tcp from any to 10.0.0.5 25 setup
> 03100 allow tcp from any to 10.0.0.20 80 via rl0 setup # web
> 03200 allow tcp from any to 10.0.0.21 80 via rl0 setup # web
> 03300 allow tcp from any to any 22 setup
> 03400 allow icmp from any to any keep-state
> 03500 allow tcp from any to any setup
> 03640 allow udp from any to 10.0.0.5 # crappy fix to allow DNS to work
> 03900 deny log logamount 10 tcp from any to any in recv rl0 setup
> 65535 deny ip from any to any
>
> Regards, Dustin
>
> ---
> Dustin Puryear <dpuryear@usa.net>
> Information Systems Consultant
> http://members.telocity.com/~dpuryear
> In the beginning the Universe was created.
> This has been widely regarded as a bad move. - Douglas Adams
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFC7B9562E.F1A22314-ON86256B28.0079F9EF>