Date: Tue, 24 May 2005 12:25:51 -0600 From: Stephane Raimbault <stephane@enertiasoft.com> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied Message-ID: <F4C0013C-245C-41AE-9E4C-226829631D84@enertiasoft.com> In-Reply-To: <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <DBDEAE42-4CD3-4989-AEB8-CF4794942240@enertiasoft.com> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24-May-05, at 12:09 PM, Charles Swiger wrote:
> On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote:
>
>> Thank you for your suggestions... I think it helped me solve the
>> problem. It seems I needed to add more rules... although they
>> seem redundant to me, but they have clearly made an improvement
>> and I'm no longer getting those dns related errors in ipfw.log and
>> in /var/log/messages.
>>
>
> I hate to ask something silly, but you do have a check-state rule
> somewhere, right?
>
it's not silly..., what's silly is now I'm asking how would I
check :) or what would the rule look like.
> The rules you've added permit traffic in both directions, which
> shouldn't be needed unless the stateful matching wasn't working
> right. Anyway, you don't need to use stateful rules if you permit
> traffic in both ways, but the possible tradeoff is making the
> systems more accessible to scanning and some DoS attacks using
> forged traffic.
>
> Not using keep-state with UDP is quite reasonable, but you might
> consider adding a "keep-state" with your TCP rules for port 53.
> You should also be aware that your nameservers will want to make
> outbound connections using TCP themselves sometimes....
>
you've actually kinda answered the other question I neglected to
ask... which is, would I really need the keep-state, since it seemed
to work without it being there when I did my testing earlier today.
Regarding adding keep-state to my tcp rule... would this not do the
same thing... ? am I confused... or is it just insecure of doing it
this way:
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
Thanks,
Stephane.
> --
> -Chuck
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F4C0013C-245C-41AE-9E4C-226829631D84>