From owner-freebsd-questions@FreeBSD.ORG Fri Aug 23 03:18:56 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id CB935D44 for ; Fri, 23 Aug 2013 03:18:56 +0000 (UTC) (envelope-from vagabond@blackfoot.net) Received: from nightmare.dreamchaser.org (nightmare.dreamchaser.org [12.32.44.142]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 415E528D3 for ; Fri, 23 Aug 2013 03:18:52 +0000 (UTC) Received: from breakaway.dreamchaser.org (breakaway.dreamchaser.org. [12.32.36.73]) by nightmare.dreamchaser.org (8.13.6/8.13.6) with ESMTP id r7N3G6mB087664; Thu, 22 Aug 2013 21:16:24 -0600 (MDT) (envelope-from vagabond@blackfoot.net) Message-ID: <5216D3F7.50704@blackfoot.net> Date: Thu, 22 Aug 2013 21:16:07 -0600 From: Gary Aitken User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130730 Thunderbird/17.0.7 MIME-Version: 1.0 To: Dan Lists Subject: Re: ipfw confusion References: <5211B5E1.6040000@blackfoot.net> <52128B95.30006@blackfoot.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (nightmare.dreamchaser.org [12.32.36.65]); Thu, 22 Aug 2013 21:16:29 -0600 (MDT) Cc: FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Aug 2013 03:18:57 -0000 On 08/20/13 12:41, Dan Lists wrote: > You might turn on logging and post the logs of what is being blocked. > Sometimes things are being blocked by rules you do not expect. Thanks for the suggestion. I was seeing refusals from named and mistakenly interpreting them as ipfw issues. > On Mon, Aug 19, 2013 at 4:18 PM, Gary Aitken wrote: > >> On 08/19/13 00:36, Jason Cox wrote: >>> Are you sure that your DNS requests are over TCP? DNS primarily uses UDP >> to >>> serve requests. TCP is used when the response data size exceeds 512 bytes >>> (I think), or for tasks such as zone transfers. I know a few resolver >>> implementations use TCP for all queries, but most I have used not. You >>> might want to add rules to allow UDP as well. >> >> There are identical rules included for udp: >> >> 21149 allow udp from any to 12.32.44.142 dst-port 53 in via tun0 keep-state >> 21169 allow udp from any to 12.32.36.65 dst-port 53 in via tun0 keep-state >> >> One of the requests which is being refused is a zone transfer request from >> a secondary which is a tcp request. Others are probably udp. >> >>> On Sun, Aug 18, 2013 at 11:06 PM, Gary Aitken >> wrote: >>> >>>> I'm having some weird ipfw behavior, or it seems weird to me, and am >>>> looking >>>> for an explaination and then a way out. >>>> >>>> ipfw list >>>> ... >>>> 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup >>>> keep-state >>>> 21129 allow tcp from any to 12.32.36.65 dst-port 53 in via tun0 setup >>>> keep-state >>>> ... >>>> 65534 deny log logamount 5 ip from any to any >>>> >>>> tail -f messages >>>> Aug 18 23:33:06 nightmare named[914]: client 188.231.152.46#63877: error >>>> sending response: permission denied >>>> >>>> 12.32.36.65 is the addr of the internal interface (xl0) on the firewall >>>> and is the public dns server. >>>> 12.32.44.142 is the addr of the external interface (tun0) which is >> bridged >>>> on a >>>> dsl line. >>>> >>>> It appears that a dns request was allowed in, but the response was not >>>> allowed >>>> back out. It seems to me the above rules 21109 and 21129 should have >>>> allowed >>>> the request in and the response back out. >>>> >>>> It's possible a request could come in on 12.32.44.142, >>>> which is why 21109 is present; >>>> although I know I am getting failures to reply to refresh requests >>>> from a secondary addressed to 12.32.36.65 >>>> >>>> What am I missing? >>>> >>>> Is there a problem if the incoming rule is for tun0, >>>> which gets passed to named >>>> since 12.32.44.142 is on the physical machine running named, >>>> but named pumps its response out on 12.32.36.65, >>>> relying on routing to get it to the right place, >>>> and that fails to match the state tracking mechanism >>>> which started with 12.32.44.142?