From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 20:33:50 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 908BE16A4CE for ; Mon, 17 Jan 2005 20:33:50 +0000 (GMT) Received: from ms-smtp-02-eri0.southeast.rr.com (ms-smtp-02-lbl.southeast.rr.com [24.25.9.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 22D0843D3F for ; Mon, 17 Jan 2005 20:33:50 +0000 (GMT) (envelope-from AJGurdian@lanoticia.com) Received: from [192.168.1.129] (rrcs-24-123-190-214.se.biz.rr.com [24.123.190.214])j0HKXl4R009543 for ; Mon, 17 Jan 2005 15:33:47 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <20050116153513.WNGG29966.viefep20-int.chello.at@hyperduron> References: <20050116153513.WNGG29966.viefep20-int.chello.at@hyperduron> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: Content-Transfer-Encoding: quoted-printable From: "=?ISO-8859-1?Q?Alvaro_J._Gurdi=E1n?=" Date: Mon, 17 Jan 2005 15:33:01 -0500 To: FreeBSD-Questions Questions X-Mailer: Apple Mail (2.619) X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: IPF firewalling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 20:33:50 -0000 If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK,=20 then you need to explicitly allow each service to leave the interface,=20= as well as come in thru the interface. For example add: pass in quick proto tcp from any to any port =3D 53 keep state keep keep=20= state frags pass in quick proto udp from any to any port =3D 53 keep state keep = frags this allows the the computer to attempt to contact the DNS server=20 upstream from it. Hope this helps, Alvaro Gurdi=E1n Jr. On Jan 16, 2005, at 10:35 AM, K=F6vesd=E1n G=E1bor wrote: > Hi, > > I have some trouble with the ipf configuration. I made the following > ruleset: > > pass in quick on rl0 proto udp from any to any port =3D 68 keep state > pass in quick proto udp from any to any port =3D 53 keep state keep = frags > pass in quick on rl0 proto tcp/udp from any to any port =3D 42 keep=20 > state keep > frags > pass in quick on rl0 proto tcp from any to any port =3D 22 flags S = keep=20 > state > pass in quick on rl0 proto tcp from any to any port =3D 25 keep state > pass in quick on rl0 proto tcp from any to any port =3D 21 keep state > pass in quick on rl0 proto tcp from any to any port =3D 20 keep state > pass in quick on rl0 proto tcp from any to any port =3D 80 keep state > > > block return-rst in log quick on rl0 proto tcp from any to any > block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp from=20= > any > to any > block in quick on rl0 all > > pass in quick on lo0 all > pass out quick on lo0 all > > > > Everything seems okay, but the named. Neiher the ISP's nameserver (set=20= > by > the dhcp) nor the local nameserver works. BIND 9 wrote this to > /var/log/messages: > > Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t > /usr/local/named -c /etc/named.conf > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20 > address > in use > Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 = failed; > interface ignored > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20 > address > in use > Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 = failed; > interface ignored > Jan 16 13:59:35 server named[1028]: not listening on any interfaces > Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add=20= > command > channel 127.0.0.1#953: address in > use > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: > permission denied > Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 = failed; > interface ignored > Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: > permission denied > Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 = failed; > interface ignored > > > The rndc doesn't matter, I'm not going to use it, but the neither=20 > named can > listen on the network and the loopback interface. Could You suggest me=20= > any > solution for this trouble? Btw, this machine is going to be a web, = dns, > mail, etc. server and is being tested on an ordinary cable connection, > that's why I'm using dhcp. > > Best regards, > > G=E1bor K=F6vesd=E1n > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >