From owner-freebsd-ipfw Sat Dec 16 1:10:33 2000 From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 16 01:10:30 2000 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 218D537B400 for ; Sat, 16 Dec 2000 01:10:30 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 16 Dec 2000 01:08:49 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id eBG9AOC76664; Sat, 16 Dec 2000 01:10:24 -0800 (PST) (envelope-from cjc) Date: Sat, 16 Dec 2000 01:10:16 -0800 From: "Crist J. Clark" To: Carlos Andrade Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: right Message-ID: <20001216011016.N96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com>; from carlos@rjstech.com on Fri, Dec 15, 2000 at 03:31:13PM -0700 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Dec 15, 2000 at 03:31:13PM -0700, Carlos Andrade wrote: > So the email list found some typo's (which is good, the typos bad). And more below, or are these the same ones? > And I > have my machine on a crossover cable, life is peachy right? wrong... > > for some reason I cannot get dns to work. I can send email and receive > email since I was able to hobble the ip's of my pop and smtp servers. So I > look at my rc.firewall (attached) and well I cannot figure out why I can do > things using IP's but not names. Its one thing for me to do this, its > another for the rest of the office to do it. For that matter I don't know > of the top of my head the ip for www.yahoo.com. So I beseech this email > list, what am I doing wrong? [snip] > case ${firewall_type} in > [Ss][Ii][Mm][Pp][Ll][Ee]) > > # I deleted open and client, too many conflicts > # so we go directly in to simple > # This is a prototype setup for a simple firewall. Configure this > # machine as a named server and ntp server, and point all the machines > # on the inside at this machine for those services. > ############ > > # set these to your outside interface network and netmask and ip > oif="xl0" > onet="206.249.222.0" > omask="255.255.255.224" > oip="206.249.222.226" > > # set these to your inside interface network and netmask and ip > iif="xl1" > inet="192.168.1.0" > imask="255.255.255.224" > iip="192.168.1.225" Errr... These numbers do not all agree. Your IP address is outside of your network, or your netmask is too small, or your network is in the wrong place. > #dns servers > #dns1="204.90.111.2" > #dns2="205.137.48.5" [snip] > # UPD STUFF > > # Allow access to our DNS > #${fwcmd} add 2900 pass upd from any to ${dns1} 53 setup > #${fwcmd} add 3000 pass upd from any to ${dns2} 53 setup > #${fwcmd} add 3100 pass udp from ${dns1} 53 to any > #${fwcmd} add 3200 pass udp from ${dns2} 53 to any > > ${fwcmd} add 2900 pass udp from any 53 to ${oip} OK, this should let DNS back to your gateway. > ${fwcmd} add 3000 pass udp from ${oip} 53 to any > ${fwcmd} add 3100 pass tcp from any to ${oip} 53 setup These say that you want your gateway (or perhaps a machine behind it) to function as a DNS server? I don't see a rule allowing the port 53 traffic onto you private net. Nor do I see a rule allowing DNS out. Why did you use different rules rather than fix the problems with the ones you have commented out? > # SMB - allow local traffic > ${fwcmd} add 3300 pass udp from any to any 137-139 via ${iif} Ouch. Why? > # Allow NTP queries out in the world BUT we do it like this > # allow server-server on outside interface > # allow client-server on inside interface > ${fwcmd} add 3400 pass udp from any 123 to any 123 via ${oif} > ${fwcmd} add 3500 pass udp from any 123 to any 123 via ${iif} > ${fwcmd} add 3600 pass udp from any to any 123 via ${iif} Rule 3500 is a subset of rule 3600. Rule 3400 and 3500 could be made into a single, ${fwcmd} add 3400 pass udp from any 123 to any 123 [snip] -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message