From owner-freebsd-questions@FreeBSD.ORG Sat Jul 31 22:43:57 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3BF316A4CE for ; Sat, 31 Jul 2004 22:43:57 +0000 (GMT) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7B2843D3F for ; Sat, 31 Jul 2004 22:43:56 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a239.otenet.gr [212.205.215.239]) i6VMhiSR021432; Sun, 1 Aug 2004 01:43:44 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.11/8.12.11) with ESMTP id i6VMhD1h001124; Sun, 1 Aug 2004 01:43:13 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.11/8.12.11/Submit) id i6VMhDN8001123; Sun, 1 Aug 2004 01:43:13 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 1 Aug 2004 01:43:13 +0300 From: Giorgos Keramidas To: JJB Message-ID: <20040731224313.GA1048@gothmog.gr> References: <20040731173613.GA30298@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-questions@freebsd.org Subject: Re: Firewall Rule Set not allowing access to DNS servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2004 22:43:57 -0000 [-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB wrote: >Giorgos Keramidas wrote on July 31, 2004 1:36 PM >>On 2004-07-31 12:08, "James A. Coulter" >> My LAN is configured with static IP addresses, 192.168.1.x. >>> >>> I have no problems communicating within the LAN. >>> >>> I have full connectivity with the internet from every machine on >>> my LAN when the firewall is open. >>> >>> When I use the rule set in question, I can ping and send mail but >>> I cannot access the DNS servers listed in resolv.conf. >> >> There are many ways in which your ruleset might break. Two of the >> most important comments I wanted to make when I first saw the posts >> of this thread are: [...] >> >> b) Why do you use so many rules that 'filter' outgoing traffic? >> >> I saw smtp, pop3, time, http, https and many others. You >> don't need to explicitly allow outgoing connections unless >> the users in the internal LAN are not to be trusted at all >> and even then IPFW is most of the time not the right way to >> do it. > > If you had read the start of the thread you would have read the new > handbook firewall section rewrite which explains in detail why there > are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by "... which explains in detail why..." you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: "The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access." In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos