From owner-freebsd-doc@FreeBSD.ORG  Mon Dec  8 21:08:36 2008
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
Delivered-To: doc@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A436D106564A
	for <doc@freebsd.org>; Mon,  8 Dec 2008 21:08:36 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23])
	by mx1.freebsd.org (Postfix) with ESMTP id 8AA2A8FC19
	for <doc@freebsd.org>; Mon,  8 Dec 2008 21:08:36 +0000 (UTC)
	(envelope-from cswiger@mac.com)
Received: from relay12.apple.com (relay12.apple.com [17.128.113.53])
	by mail-out4.apple.com (Postfix) with ESMTP id 484E949D6834;
	Mon,  8 Dec 2008 12:50:04 -0800 (PST)
Received: from relay12.apple.com (unknown [127.0.0.1])
	by relay12.apple.com (Symantec Brightmail Gateway) with ESMTP id
	C7297464004; Mon,  8 Dec 2008 12:50:03 -0800 (PST)
X-AuditID: 11807135-ab861bb000000e1f-77-493d8879e6c1
Received: from cswiger1.apple.com (cswiger1.apple.com [17.227.140.124])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by relay12.apple.com (Apple SCV relay) with ESMTP id 25B0B420004;
	Mon,  8 Dec 2008 12:50:01 -0800 (PST)
Message-Id: <4E91A5AC-DE5B-4C25-8CA1-F7F35E9F7FDE@mac.com>
From: Chuck Swiger <cswiger@mac.com>
To: Fernando Tonus <fernandotonus@gmail.com>
In-Reply-To: <be0c2c4f0812081217t30ee0123gc4eceb0d695f74f1@mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Mon, 8 Dec 2008 12:50:01 -0800
References: <be0c2c4f0812081217t30ee0123gc4eceb0d695f74f1@mail.gmail.com>
X-Mailer: Apple Mail (2.929.2)
X-Brightmail-Tracker: AAAAAA==
Cc: doc@freebsd.org
Subject: Re: Handbook - Section IPFW
X-BeenThere: freebsd-doc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-doc>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Help: <mailto:freebsd-doc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-doc>,
	<mailto:freebsd-doc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2008 21:08:36 -0000

On Dec 8, 2008, at 12:17 PM, Fernando Tonus wrote:
> I found an error in the last script called "Example Ruleset #2".
> The error is in the rule number 020.
>
> Wrong:
> $cmd 020 $skip *tcp* from any to x.x.x.x 53 out via $pif setup keep- 
> state
>
> Right:
> $cmd 020 $skip *udp* from any to x.x.x.x 53 out via $pif setup keep- 
> state

Actually, you want to allow *both* udp/53 and tcp/53 out if you want  
to properly pass DNS requests through:

$cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 020 $skip udp from any to x.x.x.x 53 out via $pif keep-state

Regards,
-- 
-Chuck