Date: Tue, 24 May 2005 14:09:26 -0400 From: Charles Swiger <cswiger@mac.com> To: Stephane Raimbault <stephane@enertiasoft.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied Message-ID: <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> In-Reply-To: <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <DBDEAE42-4CD3-4989-AEB8-CF4794942240@enertiasoft.com> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote: > Thank you for your suggestions... I think it helped me solve the > problem. It seems I needed to add more rules... although they seem > redundant to me, but they have clearly made an improvement and I'm > no longer getting those dns related errors in ipfw.log and in /var/ > log/messages. I hate to ask something silly, but you do have a check-state rule somewhere, right? The rules you've added permit traffic in both directions, which shouldn't be needed unless the stateful matching wasn't working right. Anyway, you don't need to use stateful rules if you permit traffic in both ways, but the possible tradeoff is making the systems more accessible to scanning and some DoS attacks using forged traffic. Not using keep-state with UDP is quite reasonable, but you might consider adding a "keep-state" with your TCP rules for port 53. You should also be aware that your nameservers will want to make outbound connections using TCP themselves sometimes.... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96966222-05C1-4686-9F07-EA8A43738B4E>