Date: Mon, 8 Dec 2008 12:50:01 -0800 From: Chuck Swiger <cswiger@mac.com> To: Fernando Tonus <fernandotonus@gmail.com> Cc: doc@freebsd.org Subject: Re: Handbook - Section IPFW Message-ID: <4E91A5AC-DE5B-4C25-8CA1-F7F35E9F7FDE@mac.com> In-Reply-To: <be0c2c4f0812081217t30ee0123gc4eceb0d695f74f1@mail.gmail.com> References: <be0c2c4f0812081217t30ee0123gc4eceb0d695f74f1@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 8, 2008, at 12:17 PM, Fernando Tonus wrote: > I found an error in the last script called "Example Ruleset #2". > The error is in the rule number 020. > > Wrong: > $cmd 020 $skip *tcp* from any to x.x.x.x 53 out via $pif setup keep- > state > > Right: > $cmd 020 $skip *udp* from any to x.x.x.x 53 out via $pif setup keep- > state Actually, you want to allow *both* udp/53 and tcp/53 out if you want to properly pass DNS requests through: $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 020 $skip udp from any to x.x.x.x 53 out via $pif keep-state Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E91A5AC-DE5B-4C25-8CA1-F7F35E9F7FDE>