Date: 27 Oct 2002 20:43:19 +0000 From: Stacey Roberts <stacey@Demon.vickiandstacey.com> To: "D. Penev" <dpenev@mail.bg> Cc: sroberts@dsl.pipex.com, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security Message-ID: <1035751404.398.2.camel@Demon.vickiandstacey.com> In-Reply-To: <20021027180957.GB240@earth.dpsca.bg> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> <1035743359.65564.12.camel@Demon.vickiandstacey.com> <20021027180957.GB240@earth.dpsca.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-YvB17U5jaNnzqrQG27kz
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hello,
Thought you'd like to know that the amendments you suggested works
for me now.=20
Thank you very much for the time and effort! See:
$ dig . ns @c.root-servers.net
; <<>> DiG 8.3 <<>> . ns @c.root-servers.net=20
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;; ., type =3D NS, class =3D IN
;; ANSWER SECTION:
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12
M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33
I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90
A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10
K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129
;; Total query time: 229 msec
;; FROM: Demon.vickiandstacey.com to SERVER: c.root-servers.net=20
192.33.4.12
;; WHEN: Sun Oct 27 20:41:04 2002
;; MSG SIZE sent: 17 rcvd: 436
$
On Sun, 2002-10-27 at 18:09, D. Penev wrote:
> On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote:
> >Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY?
> > [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in
> > /var/log/security
> >From: Stacey Roberts <stacey@Demon.vickiandstacey.com>
> >To: Ruben de Groot <fbsd-q@bzerk.org>
> >Cc: sroberts@dsl.pipex.com,
> > FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
> >Date: 27 Oct 2002 18:29:16 +0000
> >
> >Okay,
> > I've been hacking about with my ipfw rules in order to nail this
> >down, but I'm still coming up against a wall here..,=20
> >
> >I've made this change:
> ># Allow out access to Internet Domain name server
> >$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup
> >keep-state=20
> >#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup
> >keep-state <=3D=3D=3D=3D <COMMENTED THIS OUT>
> >$fwcmd add 00618 allow udp from any to any 53 out via $oif
>=20
> You forget keep-state. You rule should be:
> $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state=20
>=20
>=20
> > ^
> > |
> > PUT THIS IN INSTEAD
> >
> >Now I try to query a root-server, I still get stopped by the firewall:
> ># date
> >Sun Oct 27 18:19:35 GMT 2002
> ># dig . ns @b.root-servers.net
> >
> >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20
> >; (1 server found)
> >;; res options: init recurs defnam dnsrch
> >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed
> >out
> >
> >Checking logs:
> ># tail /var/log/security
> ><snip>
> >Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53
> >192.168.1.8:1642 in via sis0
> >#=20
> >
> >The previous posted (see below) informed me that using setup /
> >keep-state with udp is wrong. Given the changes I've made above, what
> >are the magic statements to allow my to query the root servers and allow
> >their responses back in?
> >
> >TIA
> >Stacey
> >
> >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:
> ><snip>
> >> >=20
> >> > Verifying relevant ipfw rules:
> >> > # Allow out access to Internet Domain name server
> >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> >> > keep-state=20
> >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> >> > keep-state
> >>=20
> >> This last rule is bogus. From ipfw(8):
> >>=20
> >> setup Matches TCP packets that have the SYN bit set but no ACK =
bit.
> >> This is the short form of ``tcpflags syn,!ack''.
> >>=20
> >> "setup" is not supposed to work for UDP packets. there is no handshake=
as=20
> >> in tcp connections.
> >>=20
> >>=20
> >> >=20
> >> > Checking ipfw rule 910:
> >> > $fwcmd add 00910 deny log logamount 500 ip from any to any
> >> >=20
> >> > Why am I not able to query root servers, given my rules 00618 & 0061=
9?=20
> >> >=20
> >> > I'd appreciate someone helping me out here., (or hitting me over the
> >> > head if I'm missing something simple and glaringly obvious)
> >> >=20
> >> > TIA=20
> >> >=20
> >> > Stacey
> >> >=20
> >> >=20
> >> >=20
> >> > --=20
> >> > Stacey Roberts
> >> > B.Sc (HONS) Computer Science
> >> >=20
> >> > Web: www.vickiandstacey.com
> >> >=20
> >>=20
> >> To Unsubscribe: send mail to majordomo@FreeBSD.org
> >> with "unsubscribe freebsd-questions" in the body of the message
> >--=20
> >Stacey Roberts
> >B.Sc (HONS) Computer Science
> >
> >Web: www.vickiandstacey.com
> >
>=20
>=20
>=20
> --=20
> Regards,
> D. Penev
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--=20
Stacey Roberts
B.Sc (HONS) Computer Science
Web: www.vickiandstacey.com
--=-YvB17U5jaNnzqrQG27kz
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQEVAwUAPbxP5JvQeubckvvXAQFNGwf/WRDDgKbl2fDqUugbjmlIPcR4PKrDpP48
Y/kRmnx3fDCFThKEBb00aHAwx+8zXYurRWT6sG4i8bbG3M4fL63EZ89vKmXR4PTR
UF0rp4JsBvjrHtTGnB8Xv+U0VR0Mv9eTmVvcQsm6aSSHLUSnEdBbcR4+K4OmaM5y
cvth5yRGMXenr9auVTRp9w48key34hY4js6ij2neBqUz/NtZPk83Q2pD7KJzSdc7
F2C4crCtPZEGfTpuLBum3P4Ga/sHAl9mnpf7BUO6r2FRSXafGbcie/1970B8rjUs
I/si/5D0iMVOKuaTI25/slH/d6e+InSjkerg6MUNhy9LPfd+j4rxhA==
=9e1G
-----END PGP SIGNATURE-----
--=-YvB17U5jaNnzqrQG27kz--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1035751404.398.2.camel>