Date: Mon, 17 Jan 2005 15:33:01 -0500 From: "=?ISO-8859-1?Q?Alvaro_J._Gurdi=E1n?=" <AJGurdian@lanoticia.com> To: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: IPF firewalling Message-ID: <FB5C0C34-68C6-11D9-BEF4-000A9592DF7A@lanoticia.com> In-Reply-To: <20050116153513.WNGG29966.viefep20-int.chello.at@hyperduron> References: <20050116153513.WNGG29966.viefep20-int.chello.at@hyperduron>
next in thread | previous in thread | raw e-mail | index | archive | help
If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK,=20 then you need to explicitly allow each service to leave the interface,=20= as well as come in thru the interface. For example add: pass in quick proto tcp from any to any port =3D 53 keep state keep keep=20= state frags pass in quick proto udp from any to any port =3D 53 keep state keep = frags this allows the the computer to attempt to contact the DNS server=20 upstream from it. Hope this helps, Alvaro Gurdi=E1n Jr. On Jan 16, 2005, at 10:35 AM, K=F6vesd=E1n G=E1bor wrote: > Hi, > > I have some trouble with the ipf configuration. I made the following > ruleset: > > pass in quick on rl0 proto udp from any to any port =3D 68 keep state > pass in quick proto udp from any to any port =3D 53 keep state keep = frags > pass in quick on rl0 proto tcp/udp from any to any port =3D 42 keep=20 > state keep > frags > pass in quick on rl0 proto tcp from any to any port =3D 22 flags S = keep=20 > state > pass in quick on rl0 proto tcp from any to any port =3D 25 keep state > pass in quick on rl0 proto tcp from any to any port =3D 21 keep state > pass in quick on rl0 proto tcp from any to any port =3D 20 keep state > pass in quick on rl0 proto tcp from any to any port =3D 80 keep state > > > block return-rst in log quick on rl0 proto tcp from any to any > block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from=20= > any > to any > block in quick on rl0 all > > pass in quick on lo0 all > pass out quick on lo0 all > > > > Everything seems okay, but the named. Neiher the ISP's nameserver (set=20= > by > the dhcp) nor the local nameserver works. BIND 9 wrote this to > /var/log/messages: > > Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t > /usr/local/named -c /etc/named.conf > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20 > address > in use > Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 = failed; > interface ignored > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20 > address > in use > Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 = failed; > interface ignored > Jan 16 13:59:35 server named[1028]: not listening on any interfaces > Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add=20= > command > channel 127.0.0.1#953: address in > use > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: > permission denied > Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 = failed; > interface ignored > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: > permission denied > Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 = failed; > interface ignored > > > The rndc doesn't matter, I'm not going to use it, but the neither=20 > named can > listen on the network and the loopback interface. Could You suggest me=20= > any > solution for this trouble? Btw, this machine is going to be a web, = dns, > mail, etc. server and is being tested on an ordinary cable connection, > that's why I'm using dhcp. > > Best regards, > > G=E1bor K=F6vesd=E1n > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FB5C0C34-68C6-11D9-BEF4-000A9592DF7A>