From owner-freebsd-questions Sat Mar 1 10:52:14 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C73CA37B406 for ; Sat, 1 Mar 2003 10:52:12 -0800 (PST) Received: from akira.lanfear.com (akira.lanfear.com [216.168.61.84]) by mx1.FreeBSD.org (Postfix) with SMTP id B93A243FE1 for ; Sat, 1 Mar 2003 10:52:11 -0800 (PST) (envelope-from mw@lanfear.com) Received: (qmail 7798 invoked from network); 1 Mar 2003 18:52:11 -0000 Received: from localhost.lanfear.com (HELO localhost) (127.0.0.1) by localhost.lanfear.com with SMTP; 1 Mar 2003 18:52:11 -0000 Subject: Re: DNS and ipfw From: Mark To: Bill Moran Cc: questions@freebsd.org In-Reply-To: <3E60CEF2.3060304@potentialtech.com> References: <1046497302.10689.4.camel@donburi> <1046500933.10689.9.camel@donburi> <3E60CEF2.3060304@potentialtech.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 01 Mar 2003 10:52:36 -0800 Message-Id: <1046544756.11595.13.camel@donburi> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 2003-03-01 at 07:17, Bill Moran wrote: > Mark wrote: > > This is really wonky! I've tried all sorts of variations on the > > following rules: > > > > add pass tcp from any 53 to 10.0.0.0/24 > > add pass udp from any 53 to 10.0.0.0/24 > > add pass tcp from 10.0.0.0/24 to any 53 > > add pass udp from 10.0.0.0/24 to any 53 > > I'm assuming that you're not running a DNS cache on the firewall? So make > sure these rules come _after_ the divert rule. > > You'll need keep-state's on the udp rules. Although tcp port 53 is > registered to DNS, I've never actually seen it used. Here are some > rules to try: > > add pass udp from 10.0.0.0/24 to any 53 keep-state > add pass udp from any to any 53 keep-state via xx0 out That appears to have done the trick, thanks very much! That keep-state appears to be the key that I wasn't quite understanding. Now, we'll just hope I don't run into the same problem with FreeBSD 4.3 where after a week of running like this, DNS queries would suddenly stop getting through until I flushed and reset the firewall. Thanks again! ciao, Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message