Date: Tue, 1 Jun 2004 16:02:38 +0200 (MEST) From: besen-wesen@gmx.net To: freebsd-bugs@freebsd.org Subject: IPFW & uid bind Message-ID: <16597.1086098558@www4.gmx.net>
next in thread | raw e-mail | index | archive | help
Hello, my firewall's security policy is supposed to allow outgoing connections to port 53 (DNS) only from 'named' on localhost. Normally IPFW should be able to do that just fine, since named runs as user and group 'bind' and IPFW can handle local packets based on uid's or gid's. Everything else works just fine. One can reduce the problem to this easily verifiable rule: # ipfw add 300 count log ip from any to any uid bind Named indeed does run as bind: box# ps x -U bind PID TT STAT TIME COMMAND 108 ?? Is 0:01.07 /usr/sbin/named -u bind -g bind But IPFW does neither count nor log anything when doing DNS lookups: # nslookup www.xyz.com Instead filtering based on uid 'root' does work and produces a lot of occurences: # ipfw add 300 count log ip from any to any uid root So what's the matter with 'bind' and IPFW? Regards, Besen-Wesen -- +++ Jetzt WLAN-Router für alle DSL-Einsteiger und Wechsler +++ GMX DSL-Powertarife zudem 3 Monate gratis* http://www.gmx.net/dsl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16597.1086098558>