From owner-freebsd-security Thu Dec 27 3: 1:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from holmes.infopro.spb.su (holmes.infopro.spb.su [195.242.2.2]) by hub.freebsd.org (Postfix) with ESMTP id 7D44F37B416 for ; Thu, 27 Dec 2001 03:01:08 -0800 (PST) Received: from barrymore.peterlink.ru (barrymore.peterlink.ru [195.242.2.8]) by holmes.infopro.spb.su (8.9.1/8.9.1) with ESMTP id OAA16528 for ; Thu, 27 Dec 2001 14:01:03 +0300 (MSK) Received: from kostasoft.spb.ru (spb-4-65.dialup.peterlink.ru [195.242.19.65]) by barrymore.peterlink.ru (8.9.1/8.9.1) with ESMTP id OAA24972 for ; Thu, 27 Dec 2001 14:00:56 +0300 (MSK) Received: from adv2 [192.168.0.4] by kostasoft [127.0.0.1] with SMTP (MDaemon.v2.84.R) for ; Thu, 27 Dec 2001 12:50:44 +0300 Reply-To: From: "Yuri Muhitov" To: Subject: RE: Help with ipfw rules to allow DNS queries through Date: Thu, 27 Dec 2001 12:50:42 +0300 Message-ID: <2E8E747BA4D4994CB49D56AF57F1728208B2F7@adv.KOSTASOFT.kostasoft.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <2E8E747BA4D4994CB49D56AF57F172820F78EC@adv.KOSTASOFT.kostasoft.spb.ru> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal X-MDaemon-Deliver-To: security@FreeBSD.ORG X-Return-Path: muhitov@kostasoft.spb.ru Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of X Philius > Sent: Thursday, December 27, 2001 4:47 AM > To: G.P. de Boer; security@FreeBSD.ORG > Subject: Re: Help with ipfw rules to allow DNS queries through > Hi, Jason! UDP is connectionless transport protocol, isn't it? Just add two lines which allow you access to EXT DNS, the rest must work fine. ${fwcmd} add pass udp from ${ip} to any 53 ${fwcmd} add pass udp from any 53 to ${ip} Furthermore, You can restrict the list of DNS'es. Replace ANY by explicit addresses... Good Luck, Yuri. > I am currently using an external DNS server via resolv.conf, you are > correct. I would think that the generic rule to allow all internally > established connections (both udp and tcp) to pass through would allow > this, even without any port specific rules. Is this not correct? > > # Allow set up of outgoing UDP connections > ${fwcmd} add pass udp from ${ip} to any setup To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message