From owner-freebsd-security Wed Dec 26 17:47:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from web11806.mail.yahoo.com (web11806.mail.yahoo.com [216.136.172.160]) by hub.freebsd.org (Postfix) with SMTP id 5B96237B405 for ; Wed, 26 Dec 2001 17:47:09 -0800 (PST) Message-ID: <20011227014709.9820.qmail@web11806.mail.yahoo.com> Received: from [207.1.27.52] by web11806.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 17:47:09 PST Date: Wed, 26 Dec 2001 17:47:09 -0800 (PST) From: X Philius Reply-To: xphilius@yahoo.com Subject: Re: Help with ipfw rules to allow DNS queries through To: "G.P. de Boer" , security@freebsd.org In-Reply-To: <5.1.0.14.0.20011226223958.01f4dd30@thedarkside.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org G.P., I am currently using an external DNS server via resolv.conf, you are correct. I would think that the generic rule to allow all internally established connections (both udp and tcp) to pass through would allow this, even without any port specific rules. Is this not correct? # Allow set up of outgoing UDP connections ${fwcmd} add pass udp from ${ip} to any setup # Allow setup of outgoing TCP connections ${fwcmd} add pass tcp from ${ip} to any setup I used to have named set up on my machine, before I upgraded to 4.4R, and I plan to set it up again. However, before I upgraded I was using this rule set, and it did not seem to allow me to access my machine as a name server from another machine. I am not 100% sure that I tested it properly though, so the general question is; should I be able to use this ruleset if I want to use my machine as a names server, ie to be accessed by an external client, and authoratative on a domain or twelve? As someone else mentioned, this is pretty much verbatim from the default rc.firewall. # Allow DNS queries out and in ${fwcmd} add pass tcp from any to ${ip} 53 setup ${fwcmd} add pass udp from any to ${ip} 53 ${fwcmd} add pass udp from ${ip} 53 to any Thanks much for your reply! I can't wait to get this working. Jason --- "G.P. de Boer" wrote: > At 21:56 26-12-2001, you wrote something > > I was reading your mailing and the pasted rules below, and > saw two things which might form the problem->solution. > > You were saying you're using /etc/resolv.conf for your own > lookups. This means that your lookups are NOT from source > port 53. This only applies when you use your own nameserver > as resolver. So the rule pass udp from ${ip} 53 to any doesn't > apply, since you're using sourceport >1024. > I would use pass udp from ${ip} to any 53. > > Hope this helps, > P. de Boer > __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message