From owner-freebsd-questions  Sat Mar  1  7:17:13 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C31E337B401
	for <questions@freebsd.org>; Sat,  1 Mar 2003 07:17:11 -0800 (PST)
Received: from pa-plum1b-166.pit.adelphia.net (pa-plum1b-13.pit.adelphia.net [24.53.161.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6C4A743F85
	for <questions@freebsd.org>; Sat,  1 Mar 2003 07:17:08 -0800 (PST)
	(envelope-from wmoran@potentialtech.com)
Received: from potentialtech.com (working [172.16.0.95])
	by pa-plum1b-166.pit.adelphia.net (8.12.3/8.12.3) with ESMTP id h21FH6rX013452;
	Sat, 1 Mar 2003 10:17:07 -0500 (EST)
	(envelope-from wmoran@potentialtech.com)
Message-ID: <3E60CEF2.3060304@potentialtech.com>
Date: Sat, 01 Mar 2003 10:17:06 -0500
From: Bill Moran <wmoran@potentialtech.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20021127
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Mark <mw@lanfear.com>
Cc: questions@freebsd.org
Subject: Re: DNS and ipfw
References: <1046497302.10689.4.camel@donburi> <1046500933.10689.9.camel@donburi>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Mark wrote:
> 	This is really wonky!  I've tried all sorts of variations on the
> following rules:
> 
> 	add pass tcp from any 53 to 10.0.0.0/24
> 	add pass udp from any 53 to 10.0.0.0/24
> 	add pass tcp from 10.0.0.0/24 to any 53
> 	add pass udp from 10.0.0.0/24 to any 53

I'm assuming that you're not running a DNS cache on the firewall?  So make
sure these rules come _after_ the divert rule.

You'll need keep-state's on the udp rules.  Although tcp port 53 is
registered to DNS, I've never actually seen it used.  Here are some
rules to try:

add pass udp from 10.0.0.0/24 to any 53 keep-state
add pass udp from any to any 53 keep-state via xx0 out

(replace xx0 with the name of your external interface)
The first should allow any DNS query initiated by your internal network to
pass into the firewall.  The keep-state allows anything that was able to
pass in to pass back out.  The second rule allows anything that gets into
your firewall to get out via the correct interface, and the keep state
makes sure it can get back in.

If you still have problems after this, post the entire firewall ruleset
(the output of 'ipfw show' after you've been trying DNS for a few minutes
would be most useful)  It's hard to diagnose firewall problems without
all the rules to compare their interaction with each other.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message