From owner-freebsd-questions  Sun Apr 15 22:21: 7 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from laxmls04.socal.rr.com (laxmls04.socal.rr.com [24.30.163.18])
	by hub.freebsd.org (Postfix) with ESMTP id 68BB537B423
	for <questions@FreeBSD.ORG>; Sun, 15 Apr 2001 22:21:04 -0700 (PDT)
	(envelope-from cwalker@cwalk.org)
Received: from cwalk.org (sc-24-24-206-138.socal.rr.com [24.24.206.138])
	by laxmls04.socal.rr.com (8.11.2/8.11.1) with ESMTP id f3G5Kv518285;
	Sun, 15 Apr 2001 22:20:58 -0700 (PDT)
Received: from ramon (oscar [192.168.1.39])
	by cwalk.org (8.9.3/8.9.3) with SMTP id WAA00503;
	Sun, 15 Apr 2001 22:17:41 -0700 (PDT)
	(envelope-from cwalker@cwalk.org)
Message-ID: <017201c0c634$6b5893a0$2701a8c0@cwalk.org>
From: "Caleb Walker" <cwalker@cwalk.org>
To: "Dru" <genisis@istar.ca>
Cc: <questions@FreeBSD.ORG>
References: <Pine.BSF.4.21.0104151522160.16109-100000@istar.ca>
Subject: Re: IPFW rules
Date: Sun, 15 Apr 2001 22:16:40 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This brings me to another question about my firewall.  I have windows users
that are behind a firewall and DNS servers are on the other side.  I notice
that windows sends dns queries from some unknown port number to port 53.  I
have been using keep-state for this to work but I dont like doing that.  Is
there another way to make sure that DNS queries are passed all of the time?
----- Original Message -----
From: "Dru" <genisis@istar.ca>
To: "Caleb Walker" <cwalker@cwalk.org>
Cc: <questions@FreeBSD.ORG>
Sent: Sunday, April 15, 2001 12:34 PM
Subject: Re: IPFW rules


>
> Hi Caleb,
>
> The SSH server listens on TCP port 22, but the client uses any port below
> 1023 (if you're using .rhosts for authentication) or any port above 1024
> if you're not using .rhosts for authentication. So it looks like when
> you remove rule 64101 you drop your responses.
>
> Have you tried something like this:
>
> 64000 allow tcp from any to any 22 in (you also might want to log that
one)
> 64001 allow tcp from any 22 to any out established
>
> You won't need the UDP one for port 22.
>
> HTH,
>
> Dru



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message