From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 31 05:33:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60E8316A4D1 for ; Sat, 31 Jan 2004 05:33:53 -0800 (PST) Received: from tromso-dhcp-235-56.bluecom.no (tromso-dhcp-235-56.bluecom.no [62.101.235.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A2CD43D62 for ; Sat, 31 Jan 2004 05:33:39 -0800 (PST) (envelope-from lists@jonepet.net) Received: from localhost (localhost.jonepet.net [127.0.0.1]) by tromso-dhcp-235-56.bluecom.no (Postfix) with ESMTP id E92D51E2; Sat, 31 Jan 2004 14:35:18 +0100 (CET) Received: from tromso-dhcp-235-56.bluecom.no ([127.0.0.1]) by localhost (discovery.jonepet.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69175-09; Sat, 31 Jan 2004 14:35:18 +0100 (CET) Received: from jonepet.net (atlantis.wlan.jonepet.net [10.2.33.4]) by tromso-dhcp-235-56.bluecom.no (Postfix) with ESMTP id AD7741E1; Sat, 31 Jan 2004 14:35:18 +0100 (CET) Message-ID: <401BAEAB.1060705@jonepet.net> Date: Sat, 31 Jan 2004 14:33:31 +0100 From: Jon-Eirik Pettersen User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Simon Gray , freebsd-ipfw@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at jonepet.net Subject: Re: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jan 2004 13:33:53 -0000 Simon Gray wrote: >>The folowing is a fragment of my rc.firewall which must >>allow all >>traffic in and out of my named. >> >>---- >>ipfw add 4100 allow udp from me to any 53 keep-state >>ipfw add 4200 allow udp from any to me 53 >>ipfw add 4300 allow udp from me 53 to any >>--- >>It doesn't work. What am I missing? >> >> > > >AFAIK dns also requires tcp 53 > > >Quick look in google found: > ># Allow access to our DNS >${fwcmd} add pass tcp from any to ${ip} 53 setup >${fwcmd} add pass udp from any to ${ip} 53 >${fwcmd} add pass udp from ${ip} 53 to any > > >HTH > >Simon > > > If you want to debug firewalls this in your kernel configuration could help ( if you haven't done it yet): options IPFIREWALL options IPFIREWALL_VERBOSE ( remember that it will deny as default, check the handbook if you dont want it to ) and use deny log instead of "deny", then ipfw will deliver deny-messages to "security" in syslogd. And "tcpdump -i device" too ( with som grepping if you have much traffic in/out).