Date: Tue, 24 May 2005 17:10:10 -0400 From: Charles Swiger <cswiger@mac.com> To: Stephane Raimbault <stephane@enertiasoft.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied Message-ID: <78A9BEFC-DAB7-4140-91A1-4EC0EF1D9E11@mac.com> In-Reply-To: <33C31ADD-A2A0-47FC-968D-267278F63F89@enertiasoft.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <DBDEAE42-4CD3-4989-AEB8-CF4794942240@enertiasoft.com> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> <F4C0013C-245C-41AE-9E4C-226829631D84@enertiasoft.com> <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> <33C31ADD-A2A0-47FC-968D-267278F63F89@enertiasoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 24, 2005, at 4:28 PM, Stephane Raimbault wrote:
> That's very interesting and makes sense. I do not have the check-
> state in there, and just specify each port that is open, I'm
> guessing I did not run into this problem with anything else, as dns
> is a very stateful type of protocol?
DNS is more complicated than simple UDP-only protocols, sure. If you
have DNS problems, lots of other stuff won't work so well, either.
> Would this be hand with an FTP server, right now I just tell the
> ftp server to use specific
^^^^ "hard"?
> passive ports, and open up the firewall to allow connections on
> there. Would I be able to elmininate that with simply setting up
> check-state and also having keep-state at the end of the tcp allow
> rules ?
Active mode FTP is another hard case to deal with, but most clients
and servers support passive-mode FTP now, which works better over a
firewall or NAT situation.
If no check-state rule is specified, IPFW uses a fallback where it
supposedly looks for keep-state rules or limit rules, instead. But
yes, if you are going to use keep-state rules, you should have a
check-state rule, too. Only, it's better to put that rule sooner
rather than later, to reduce the amount of work the firewall has to
do for established connections.
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78A9BEFC-DAB7-4140-91A1-4EC0EF1D9E11>