From owner-freebsd-questions@FreeBSD.ORG Tue Dec 9 01:58:03 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E79716A4CE for ; Tue, 9 Dec 2003 01:58:03 -0800 (PST) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CD4143D13 for ; Tue, 9 Dec 2003 01:58:01 -0800 (PST) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 1ATect-0000Hc-00; Tue, 09 Dec 2003 20:27:55 +1030 Message-ID: <004d01c3be3a$ebecc850$a4b826cb@goo> From: "Rob" To: "Gregory Edigarov" , References: <20031209093254.GA366@profi.kharkov.ua> Date: Tue, 9 Dec 2003 20:27:55 +1030 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: ipfw keep-state (ASAP anwser need) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2003 09:58:03 -0000 I would suggest ipfw add 4100 allow udp from me to any 53 keep-state ipfw add 4200 allow udp from any to me 53 keep-state which allows either side to initiate the connection. You will also need TCP versions of these rules (DNS uses both). If you use ipfw2, which is the default in 5.x, you can combine them into the same rule like so: ipfw add 4100 allow ( tcp or udp ) from me to any 53 keep-state ipfw add 4200 allow ( tcp or udp ) from any to me 53 keep-state What does /var/log/security show? ----- Original Message ----- From: "Gregory Edigarov" Subject: ipfw keep-state (ASAP anwser need) > Hello, > > The folowing is a fragment of my rc.firewall which must allow all > traffic in and out of my named. > > ---- > ipfw add 4100 allow udp from me to any 53 keep-state > ipfw add 4200 allow udp from any to me 53 > ipfw add 4300 allow udp from me 53 to any > --- > This is a fragment from my kernel configuration: > --- > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #enable logging to > syslogd(8) > options IPFIREWALL_FORWARD #enable transparent proxy > support > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > options IPDIVERT #divert sockets > options IPSTEALTH > options ICMP_BANDLIM > options DUMMYNET > options BRIDGE > options IPFW2 > --- > It doesn't work. What am I missing? > > -- > With best regards, > Gregory Edigarov > -------------------------------------------------------------------------- ---- > profi.kharkov.ua Systems Administrator > -------------------------------------------------------------------------- ---- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >