From owner-freebsd-current@FreeBSD.ORG Mon Nov 3 07:15:15 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1B7B16A4CE for ; Mon, 3 Nov 2003 07:15:15 -0800 (PST) Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DFCB43F85 for ; Mon, 3 Nov 2003 07:15:13 -0800 (PST) (envelope-from andreas@klemm.apsfilter.org) Received: from srv1.cosmo-project.de (localhost [IPv6:::1]) hA3FFBt2036637 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Mon, 3 Nov 2003 16:15:11 +0100 (CET) (envelope-from andreas@klemm.apsfilter.org) Received: (from uucp@localhost)hA3FFBID036636 for freebsd-current@FreeBSD.org; Mon, 3 Nov 2003 16:15:11 +0100 (CET) (envelope-from andreas@klemm.apsfilter.org) Received: from titan.klemm.apsfilter.org (localhost.klemm.apsfilter.org [127.0.0.1]) by klemm.apsfilter.org (8.12.10/8.12.9) with ESMTP id hA3FEpvP041878 for ; Mon, 3 Nov 2003 16:14:51 +0100 (CET) (envelope-from andreas@titan.klemm.apsfilter.org) Received: (from andreas@localhost)hA3EecjF010689 for freebsd-current@freebsd.org; Mon, 3 Nov 2003 15:40:38 +0100 (CET) (envelope-from andreas) Date: Mon, 3 Nov 2003 15:40:38 +0100 From: Andreas Klemm To: freebsd-current@FreeBSD.org Message-ID: <20031103144038.GB1608@titan.klemm.apsfilter.org> References: <20031103124706.GA1434@titan.klemm.apsfilter.org> <20031103141849.GC35045@procyon.firepipe.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031103141849.GC35045@procyon.firepipe.net> X-Operating-System: FreeBSD 5.1-CURRENT X-Disclaimer: A free society is one where it is safe to be unpopular User-Agent: Mutt/1.5.4i Subject: Re: suddenly bind and access to NNTP server (localhost) doesn't work X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 15:15:15 -0000 X-List-Received-Date: Mon, 03 Nov 2003 15:15:15 -0000 On Mon, Nov 03, 2003 at 06:18:49AM -0800, Will Andrews wrote: > On Mon, Nov 03, 2003 at 01:47:06PM +0100, Andreas Klemm wrote: > > Since about 2 days I can't make dns queries via local nameserver. > > To get dns requests I need to add my forwarders in /etc/resolv.conf. > > I've noticed this before (on FreeBSD 4.8), then realized my ISP > was blocking 53/TCP. I found the culprit, for my eyes its a problem with ipfw. Look here: on titan the rule 100 doesn't work anymore for (for me) unknown reason: 00100 0 0 allow ip from any to any via lo0 00200 3 180 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 133 75074 allow ip from any to any 65535 21787 2611732 deny ip from any to any FreeBSD titan.klemm.apsfilter.org 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Sun Oct 19 16:33:53 CEST 2003 root@titan.klemm.apsfilter.org:/usr/src/sys/i386/compile/TITAN i386 andreas@titan[ttyp3]{1004} ~ ll /sbin/ipfw -r-xr-xr-x 1 root wheel 482184 2 Nov 21:26 /sbin/ipfw On my Laptop aklemm the rule 100 (firewall type "open") works: 00100 206 20504 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 9498 3688895 allow ip from any to any 65535 0 0 deny ip from any to any root@aklemm[ttyp2]{204} ~ ll /sbin/ipfw -r-xr-xr-x 1 root wheel 482184 2 Nov 23:07 /sbin/ipfw root@aklemm[ttyp2]{205} ~ uname -a FreeBSD aklemm.klemm.apsfilter.org 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Sun Nov 2 23:55:37 CET 2003 root@aklemm.klemm.apsfilter.org:/usr/src/sys/i386/compile/AKLEMM i386 Because rule 100 isn't working for unknown reason on titan, I get DNS and connect problem with a local NNTP server, since the traffic pattern "from any to any via lo0" is needed, but doesn't work. But I really have no idea, whats that causing... Andreas /// -- Andreas Klemm - Powered by FreeBSD 5.1-CURRENT Need a magic printfilter today ? -> http://www.apsfilter.org/