From owner-freebsd-questions Mon Feb 4 12:54:58 2002 Delivered-To: freebsd-questions@freebsd.org Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141]) by hub.freebsd.org (Postfix) with ESMTP id 3DCF437B41F for ; Mon, 4 Feb 2002 12:54:55 -0800 (PST) Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141]) by topaz.mdcc.cx (Postfix) with ESMTP id D4A9C2B74A; Mon, 4 Feb 2002 21:54:51 +0100 (CET) Received: by k7.mavetju.org (Postfix, from userid 1001) id 1FD325B3; Tue, 5 Feb 2002 07:54:42 +1100 (EST) Date: Tue, 5 Feb 2002 07:54:42 +1100 From: Edwin Groothuis To: jacks@sage-american.com Cc: freebsd-questions@freebsd.org Subject: Re: Firewall Denies - w/info Message-ID: <20020205075442.O1599@k7.mavetju.org> Mail-Followup-To: Edwin Groothuis , jacks@sage-american.com, freebsd-questions@freebsd.org References: <3.0.5.32.20020204135700.01917078@mail.sage-american.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3.0.5.32.20020204135700.01917078@mail.sage-american.com>; from jacks@sage-american.com on Mon, Feb 04, 2002 at 01:57:00PM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Feb 04, 2002 at 01:57:00PM -0600, jacks@sage-american.com wrote: > Sheesh! Here are the denies with the questions again. Sorry! > I'm getrting a lot of these "denies" of outgoing UDP shown in my firewall > log. The lookups show they are NSLs or root.servers, but not MY > nameservers. Many are on port 1024, but not always (some on the samba ports). > > Also, some try to go out on port 53, but not to MY nameservers.... > > Since it looks like the requests are coming from my machines, they look > harmless & wonder if I need the requests, and what could be asking for the > info. Does anyone know what these are for...??? ...or what is asking for > the info? > > Deny UDP 64.xxx.xx.xxx:1024 198.41.0.4:53 out via tun0 > Deny UDP 64.xxx.xx.xxx:1024 192.203.230.10:53 out via tun0 > Deny UDP 64.xxx.xx.xxx:1024 192.36.148.17:53 out via tun0 > Deny UDP 64.xxx.xx.xxx:1024 198.32.64.12:53 out via tun0 These are *from* your nameserver-process to the root-nameservers. That's how the protocol is designed and works. Just open all the ports from your nameserver to everywhere port 53, on both tcp and udp, and your nameserver will work fine. Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin@mavetju.org | Interested in MUDs? Visit Fatal Dimensions: ------------------+ http://www.FatalDimensions.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message