Date: Sat, 31 Jan 2004 14:33:31 +0100 From: Jon-Eirik Pettersen <lists@jonepet.net> To: Simon Gray <simong@desktop-guardian.com>, freebsd-ipfw@freebsd.org Subject: Re: ipfw keep-state (ASAP anwser need) Message-ID: <401BAEAB.1060705@jonepet.net> In-Reply-To: <E1AmBAS-0007EF-5G@ptb-relay02.plus.net> References: <E1AmBAS-0007EF-5G@ptb-relay02.plus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Simon Gray wrote:
>>The folowing is a fragment of my rc.firewall which must
>>allow all
>>traffic in and out of my named.
>>
>>----
>>ipfw add 4100 allow udp from me to any 53 keep-state
>>ipfw add 4200 allow udp from any to me 53
>>ipfw add 4300 allow udp from me 53 to any
>>---
>>It doesn't work. What am I missing?
>>
>>
>
>
>AFAIK dns also requires tcp 53
>
>
>Quick look in google found:
>
># Allow access to our DNS
>${fwcmd} add pass tcp from any to ${ip} 53 setup
>${fwcmd} add pass udp from any to ${ip} 53
>${fwcmd} add pass udp from ${ip} 53 to any
>
>
>HTH
>
>Simon
>
>
>
If you want to debug firewalls this in your kernel configuration could
help ( if you haven't done it yet):
options IPFIREWALL
options IPFIREWALL_VERBOSE
( remember that it will deny as default, check the handbook if you dont
want it to )
and use deny log instead of "deny", then ipfw will deliver deny-messages
to "security" in syslogd.
And "tcpdump -i device" too ( with som grepping if you have much traffic
in/out).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?401BAEAB.1060705>