From owner-freebsd-net Fri Feb 2 9:41: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from atro.pine.nl (atro.pine.nl [213.156.0.2]) by hub.freebsd.org (Postfix) with ESMTP id E503137B698 for ; Fri, 2 Feb 2001 09:40:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by atro.pine.nl (8.11.1/8.11.1) with ESMTP id f12HelF27937; Fri, 2 Feb 2001 18:40:47 +0100 (MET) Date: Fri, 2 Feb 2001 18:40:47 +0100 (MET) From: Mark Lastdrager To: Peter Brezny Cc: Subject: Re: ipfw and dns In-Reply-To: <001701c08d3e$892a1860$46010a0a@sysadmininc.com> Message-ID: X-NCC-RegID: nl.pine MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At Fri, 2 Feb 2001, owner-freebsd-net@FreeBSD.ORG wrote: >Is this all i need to allow dns queries from the outside world? > > $fwcmd add allow tcp from any 53 to $ns1 53 No, queries use udp and often don't use 53 as source port. And you have to make rules for both incoming and outgoing traffic.. >and now it appears that an outsidemachine can's perform an nslookup using my >box as the server to do the queries on. Look in the log and see what goes wrong ;-) There's an example in /etc/rc.firewall by the way: # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any Mark Lastdrager -- Pine Internet BV :: tel. +31-70-3111010 :: fax. +31-70-3111011 PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1 Today's excuse: telnet: Unable to connect to remote host: Connection refused To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message