From owner-freebsd-questions@FreeBSD.ORG  Thu Mar  3 20:20:53 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AB72C16A4CE
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Mar 2005 20:20:53 +0000 (GMT)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6058A43D39
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Mar 2005 20:20:53 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from utd49554 (utd49554.utdallas.edu [129.110.3.85])
	by smtp1.utdallas.edu (Postfix) with ESMTP id 19EDC388F49
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Mar 2005 14:20:53 -0600 (CST)
Date: Thu, 03 Mar 2005 14:20:53 -0600
From: Paul Schmehl <pauls@utdallas.edu>
To: 'FreeBSD questions' <freebsd-questions@freebsd.org>
Message-ID: <D8C861D5E62575A2A5639574@utd49554.utdallas.edu>
In-Reply-To: <42276ab8.5a7f85a2.4c2a.3e73@smtp.gmail.com>
References: <42276ab8.5a7f85a2.4c2a.3e73@smtp.gmail.com>
X-Mailer: Mulberry/3.1.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: RE: ipfw lost its mind?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Paul Schmehl <pauls@utdallas.edu>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2005 20:20:53 -0000

--On Friday, March 04, 2005 01:21:11 AM +0530 Subhro <subhro.kar@gmail.com> 
wrote:

> Do you block UDP?

First question would be - which direction?

I allow udp *to* port 53.  I allow *ip* outgoing, so any response to a dns 
request would be answered.

> I am asking this because, I *used* do a block on all UDP except the DNS
> port and had exactly the same problem.
>
Very odd.  I'll give that a try.

Even though it doesn't make sense to me.  If my *first* rule is "allow ip 
from x.x.x.x/32 to {server}" and I also have a rule that says "allow ip 
from {server} to any", then I can't imagine why a restriction on udp would 
interfere with that since "ip" includes both tcp and udp.

Besides the firewall has been working flawlessly for three years *with* 
that restriction.  Makes me think that *something* in the firewall code 
changed recently and got installed when I ran freebsd-update.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu