Date: Tue, 24 May 2005 11:05:18 -0600 From: Stephane Raimbault <stephane@enertiasoft.com> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied Message-ID: <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com> In-Reply-To: <428DEB28.5030505@mac.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <DBDEAE42-4CD3-4989-AEB8-CF4794942240@enertiasoft.com> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Chuck,
Thank you for your suggestions... I think it helped me solve the
problem. It seems I needed to add more rules... although they seem
redundant to me, but they have clearly made an improvement and I'm no
longer getting those dns related errors in ipfw.log and in /var/log/
messages.
This is what my rules look like now
# Allow setup of incoming TCP connections
${fwcmd} add pass tcp from any to ${ip1} 53 setup
${fwcmd} add pass tcp from any to ${ip2} 53 setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from any 53 to ${ip1} keep-state
${fwcmd} add pass udp from any 53 to ${ip2} keep-state
${fwcmd} add pass udp from ${ip1} to any 53 keep-state
${fwcmd} add pass udp from ${ip2} to any 53 keep-state
# Allow access to our DNS
${fwcmd} add pass udp from any to ${ip1} 53 keep-state
${fwcmd} add pass udp from any to ${ip2} 53 keep-state
${fwcmd} add pass udp from ${ip1} 53 to any keep-state
${fwcmd} add pass udp from ${ip2} 53 to any keep-state
I had this before:
# Allow setup of incoming TCP connections
${fwcmd} add pass tcp from any to ${ip1} 53 setup
${fwcmd} add pass tcp from any to ${ip2} 53 setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${ip1} to any 53 keep-state
${fwcmd} add pass udp from ${ip2} to any 53 keep-state
# Allow access to our DNS
${fwcmd} add pass udp from any to ${ip1} 53 keep-state
${fwcmd} add pass udp from any to ${ip2} 53 keep-state
The rules seem redundant to me... but the following seems to prove
otherwise:
01300 0 0 allow tcp from any to 10.0.1.11 53 setup
01400 18 864 allow tcp from any to 204.9.110.134 53 setup
05000 0 0 allow udp from any 53 to 10.0.1.11 keep-state
05100 758 87930 allow udp from any 53 to 204.9.110.134 keep-state
05200 0 0 allow udp from 10.0.1.11 to any 53 keep-state
05300 1152 133847 allow udp from 204.9.110.134 to any 53 keep-state
05400 78 10143 allow udp from any to 10.0.1.11 53 keep-state
05500 11542 1474155 allow udp from any to 204.9.110.134 53 keep-state
05600 0 0 allow udp from 10.0.1.11 53 to any keep-state
05700 848 103507 allow udp from 204.9.110.134 53 to any keep-state
If someone could help explain the details as to why this worked a bit
more, I'd appreciate it. It seems painfully obvious, but it still
looks redundant to me. I'm a bit confused as you can tell.
Thank you,
Stephane
On 20-May-05, at 7:50 AM, Chuck Swiger wrote:
> Stephane Raimbault wrote:
>
>> Does anyone have any further thoughts on this, or could maybe
>> point me in a direction that could help me solve the problem?
>>
>
> Take a look at "ipfw -a l", and see which rules are being matched.
> The output from that command is critical for understanding what the
> firewall is actually doing, and should help you figure out what is
> going on. [1]
>
> Do these make your DNS work better:
>
> ipfw add 1 pass udp from any to any 53
> ipfw add pass udp from any 53 to any
>
> ...?
>
> These rules are too open, and should just be used for testing, but
> you can see if the problem is with the firewall rules you have now,
> and adjust things from there.
>
> --
> -Chuck
>
> [1]: It would also help *us* figure out what the issue is. If you
> still need help after this, providing more info would be useful.
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-
> unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FCDE429D-2518-453D-B0EA-9CF55F539D70>