From owner-freebsd-questions Mon Jun 25 8:39:15 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ann.skypoint.net (ann.skypoint.net [199.86.32.19]) by hub.freebsd.org (Postfix) with ESMTP id 36C5437B406 for ; Mon, 25 Jun 2001 08:39:08 -0700 (PDT) (envelope-from pbiessener@hirshfields.com) Received: (from uucp@localhost) by ann.skypoint.net (8.9.3/8.9.3) with UUCP id PAA58877 for freebsd-questions@freebsd.org; Mon, 25 Jun 2001 15:33:56 GMT Received: from spicer (spicer.hirshfields.com [192.168.195.244]) by fep.hirshfields.com (8.8.8/8.8.8) with SMTP id KAA19021 for ; Mon, 25 Jun 2001 10:13:51 -0500 (CDT) (envelope-from pbiessener@hirshfields.com) From: "C Peter Biessener" To: "FreeBSD Questions" Subject: DNS over ppp Date: Mon, 25 Jun 2001 10:22:23 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG DNS packets are being BLOCKED on my ppp connection, but I fail to see why. (my ppp client is running ppp v1.65 on FreeBSD 2.2.6 and my ppp server is running ppp v2.26 on FreeBSD 4.1) (also, DNS is being provided by the client - as the server is a remote machine) Here are example lines from my ppp.log: Jun 25 09:56:49 fep ppp[18624]: tun0: TCP/IP: INP UDP: w.x.y.z:1078 ---> a.b.c.2:53 - BLOCKED Jun 25 09:56:54 fep ppp[18624]: tun0: TCP/IP: INP UDP: w.x.y.z:1079 ---> a.b.d.1:53 - BLOCKED NOTE: packets from the server to both DNS servers on the client's LAN are being blocked. And here are my packet filter rules: # # If we don't want ICMP and DNS packets to keep the connection alive: # set afilter 0 deny icmp set afilter 1 deny udp src eq 53 set afilter 2 deny udp dst eq 53 set afilter 3 permit 0/0 0/0 # # And we don't want ICMP, rwhod (513), timed (525), ntp (123), # NetBIOS (137-9), smtp (25), imap (143), nfs (1110,2049), # wins (1512), routed (520) to cause a dialup: # # set dfilter 0 deny icmp set dfilter 0 deny udp src eq 513 set dfilter 1 deny udp src eq 525 set dfilter 2 deny udp src eq 123 set dfilter 3 deny udp src eq 137 set dfilter 4 deny udp src eq 138 set dfilter 5 deny udp src eq 139 set dfilter 6 deny udp dst eq 137 set dfilter 7 deny udp dst eq 138 set dfilter 8 deny udp dst eq 139 set dfilter 9 deny udp src eq 25 set dfilter 10 deny udp src eq 143 set dfilter 11 deny udp src eq 1110 set dfilter 12 deny udp src eq 2049 set dfilter 13 deny udp src eq 1512 set dfilter 14 deny udp src eq 520 set dfilter 15 permit 0/0 0/0 # # Once the line's up, allow connections for ident (113), telnet (23), # ftp (20 & 21), DNS (53), our machines (a.b.c.0/24), # ICMP (ping) and traceroute (>33433). # rules 8 & 9 are used by rsh and rcp # # Anything else is blocked by default # set ifilter 0 permit tcp dst eq 113 set ofilter 0 permit tcp src eq 113 set ifilter 1 permit tcp src eq 23 estab set ofilter 1 permit tcp dst eq 23 set ifilter 2 permit tcp src eq 21 estab set ofilter 2 permit tcp dst eq 21 set ifilter 3 permit tcp src eq 20 dst gt 1023 set ofilter 3 permit tcp dst eq 20 set ifilter 4 permit udp src eq 53 set ofilter 4 permit udp dst eq 53 set ifilter 5 permit a.b.c.0/24 0/0 set ofilter 5 permit 0/0 a.b.c.0/24 set ifilter 6 permit icmp set ofilter 6 permit icmp set ifilter 7 permit udp dst gt 33433 set ofilter 7 permit udp dst gt 33433 set ifilter 8 permit tcp src eq 514 set ofilter 8 permit tcp src lt 890 dst eq 514 set ifilter 9 permit tcp src lt 1080 dst lt 890 set ofilter 9 permit tcp src lt 890 dst lt 1080 NOTE: i/o filter rules #4 permit DNS packets in both directions - how are DNS packets being blocked??? Thanks in advance, C Peter Biessener Hirshfield's Inc. direct: 612/374-0285 reception: 612/377-3910 fax: 612/436-3384 email: pbiessener@hirshfields.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message