Date: Sat, 01 Mar 2003 10:17:06 -0500 From: Bill Moran <wmoran@potentialtech.com> To: Mark <mw@lanfear.com> Cc: questions@freebsd.org Subject: Re: DNS and ipfw Message-ID: <3E60CEF2.3060304@potentialtech.com> References: <1046497302.10689.4.camel@donburi> <1046500933.10689.9.camel@donburi>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark wrote: > This is really wonky! I've tried all sorts of variations on the > following rules: > > add pass tcp from any 53 to 10.0.0.0/24 > add pass udp from any 53 to 10.0.0.0/24 > add pass tcp from 10.0.0.0/24 to any 53 > add pass udp from 10.0.0.0/24 to any 53 I'm assuming that you're not running a DNS cache on the firewall? So make sure these rules come _after_ the divert rule. You'll need keep-state's on the udp rules. Although tcp port 53 is registered to DNS, I've never actually seen it used. Here are some rules to try: add pass udp from 10.0.0.0/24 to any 53 keep-state add pass udp from any to any 53 keep-state via xx0 out (replace xx0 with the name of your external interface) The first should allow any DNS query initiated by your internal network to pass into the firewall. The keep-state allows anything that was able to pass in to pass back out. The second rule allows anything that gets into your firewall to get out via the correct interface, and the keep state makes sure it can get back in. If you still have problems after this, post the entire firewall ruleset (the output of 'ipfw show' after you've been trying DNS for a few minutes would be most useful) It's hard to diagnose firewall problems without all the rules to compare their interaction with each other. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E60CEF2.3060304>