Date: Tue, 9 Oct 2001 00:56:30 -0400 From: Louis LeBlanc <leblanc+freebsd@smtp.ne.mediaone.net> To: freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: ipfw question - hostname/address spec? Message-ID: <20011009005629.D589@acadia.ne.mediaone.net> In-Reply-To: <20011004135129.E297@blossom.cjclark.org> References: <20011004071834.A2458@acadia.ne.mediaone.net> <20011004135129.E297@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/04/01 01:51 PM, Crist J. Clark sat at the `puter and typed: > So, if you type, > > % dig news.ne.mediaone.net > > Before you run the script, it works? Even if it does, there would not > happen to be an 'ipfw -f flush' rule at the top of your script? Are > the DNS port opened up in the script before these rules with > hostnames? Look up the names in the script right before the rules to > see if they work, > > host $NEWS_SERVER > ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \ > via $EXT_INTERFACE out > ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \ > via $EXT_INTERFACE in established Hey Christ. Sorry for asking for help then disappearing. I tried your suggestions, trying also to remove some of the more paranoid firewall rules. I also did an echo of the nameservers and IPADDR early on in the script. Unfortunately, I am unfamiliar enough with ipfw, that I can't tell which rule is killing me. Even if I simply change all name based rules to 'any', I have no connectivity whatsoever, even by direct ip. If you need, I can provide ipfw show output, but I suspect I am giving you more than enough as it is. I don't expect an immediate answer because I am giving you such a load of data and I suspect you have a life outside this list, but I *certainly appreciate* any help you may provide. It is a boatload of output, but this is what I see: # dig news.ne.mediaone.net ; <<>> DiG 8.3 <<>> news.ne.mediaone.net ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUERY SECTION: ;; news.ne.mediaone.net, type = A, class = IN ;; ANSWER SECTION: news.ne.mediaone.net. 10M IN A 24.128.8.202 ;; AUTHORITY SECTION: news.ne.mediaone.net. 10M IN NS ndpxy01.ne.mediaone.net. ;; ADDITIONAL SECTION: ndpxy01.ne.mediaone.net. 54m14s IN A 24.128.60.7 ;; Total query time: 21 msec ;; FROM: acadia.ne.mediaone.net to SERVER: default -- 24.218.0.229 ;; WHEN: Tue Oct 9 00:40:20 2001 ;; MSG SIZE sent: 38 rcvd: 92 # sh /etc/rc.firewall Starting firewalling... IPADDR: 65.96.185.189 NAMESERVER_1: 24.218.0.229 NAMESERVER_2: 24.218.0.228 NAMESERVER_3: 24.128.1.81 00100 allow ip from any to any in recv lo0 00200 allow ip from any to any out xmit lo0 00300 allow ip from 10.8.20.0/24 to any in recv fxp0 00400 allow ip from any to 10.8.20.0/24 out xmit fxp0 00500 allow ip from 209.192.210.0/24 to 65.96.185.189 in recv xl0 00600 allow ip from 209.58.140.0/24 to 65.96.185.189 in recv xl0 00700 divert 8668 ip from any to any via xl0 00800 deny log logamount 10 ip from 255.255.255.255 to any in recv xl0 00900 deny log logamount 10 ip from any to 0.0.0.0 in recv xl0 01000 deny log logamount 10 tcp from any to any 2049 in recv xl0 setup 01100 unreach host tcp from any to any 2049 out xmit xl0 setup 01200 deny log logamount 10 tcp from any to any 6000-6063 in recv xl0 setup 01300 unreach host tcp from any to any 6000-6063 out xmit xl0 setup 01400 deny log logamount 10 tcp from any to any 1080 in recv xl0 setup 01500 unreach host tcp from any to any 1080 out xmit xl0 setup 01600 deny log logamount 10 udp from any to any 2049 in recv xl0 01700 deny log logamount 10 udp from any 32769-65535 to any 33434-33523 in recv xl0 01800 allow udp from 65.96.185.189 1024-65535 to 24.218.0.229 53 out xmit xl0 01900 allow udp from 24.218.0.229 53 to 65.96.185.189 1024-65535 in recv xl0 02000 allow tcp from 65.96.185.189 1024-65535 to 24.218.0.229 53 out xmit xl0 02100 allow tcp from 24.218.0.229 53 to 65.96.185.189 1024-65535 in recv xl0 established 02200 allow udp from 65.96.185.189 1024-65535 to 24.218.0.228 53 out xmit xl0 02300 allow udp from 24.218.0.228 53 to 65.96.185.189 1024-65535 in recv xl0 02400 allow tcp from 65.96.185.189 1024-65535 to 24.218.0.228 53 out xmit xl0 02500 allow tcp from 24.218.0.228 53 to 65.96.185.189 1024-65535 in recv xl0 established 02600 allow udp from 65.96.185.189 1024-65535 to 24.128.1.81 53 out xmit xl0 02700 allow udp from 24.128.1.81 53 to 65.96.185.189 1024-65535 in recv xl0 02800 allow tcp from 65.96.185.189 1024-65535 to 24.128.1.81 53 out xmit xl0 02900 allow tcp from 24.128.1.81 53 to 65.96.185.189 1024-65535 in recv xl0 established 03000 allow tcp from any 1024-65535 to 65.96.185.189 80 in recv xl0 03100 allow tcp from 65.96.185.189 80 to any 1024-65535 out xmit xl0 established 03200 allow tcp from 65.96.185.189 1024-65535 to any 80 out xmit xl0 03300 allow tcp from any 80 to 65.96.185.189 1024-65535 in recv xl0 established 03400 allow tcp from any 1024-65535 to 65.96.185.189 443 in recv xl0 03500 allow tcp from 65.96.185.189 443 to any 1024-65535 out xmit xl0 established 03600 allow tcp from 65.96.185.189 1024-65535 to any 443 out xmit xl0 03700 allow tcp from any 443 to 65.96.185.189 1024-65535 in recv xl0 established *** Can't find server name for address 24.218.0.229: Timed out That last is the lookup you suggested, and I can confirm that it is directly before the news.ne.mediaone.net rule. The DNS servers are opened up for port 53 above, though (or so I think). Is there something else that is killing the name lookups? Thanks again! Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Human beings were created by water to transport it uphill. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009005629.D589>