Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Oct 2001 00:56:30 -0400
From:      Louis LeBlanc <leblanc+freebsd@smtp.ne.mediaone.net>
To:        freebsd-questions@FreeBSD.org, freebsd-questions@FreeBSD.org
Subject:   Re: ipfw question - hostname/address spec?
Message-ID:  <20011009005629.D589@acadia.ne.mediaone.net>
In-Reply-To: <20011004135129.E297@blossom.cjclark.org>
References:  <20011004071834.A2458@acadia.ne.mediaone.net> <20011004135129.E297@blossom.cjclark.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/04/01 01:51 PM, Crist J. Clark sat at the `puter and typed:
> So, if you type,
> 
>   % dig news.ne.mediaone.net
> 
> Before you run the script, it works? Even if it does, there would not
> happen to be an 'ipfw -f flush' rule at the top of your script? Are
> the DNS port opened up in the script before these rules with
> hostnames? Look up the names in the script right before the rules to
> see if they work,
> 
>   host $NEWS_SERVER
>   ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \
>            via $EXT_INTERFACE out
>   ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \
>            via $EXT_INTERFACE in  established


Hey Christ.  Sorry for asking for help then disappearing.

I tried your suggestions, trying also to remove some of the more
paranoid firewall rules.  I also did an echo of the nameservers and
IPADDR early on in the script.  Unfortunately, I am unfamiliar enough
with ipfw, that I can't tell which rule is killing me.

Even if I simply change all name based rules to 'any', I have no
connectivity whatsoever, even by direct ip.  If you need, I can
provide ipfw show output, but I suspect I am giving you more than
enough as it is.

I don't expect an immediate answer because I am giving you such a load
of data and I suspect you have a life outside this list, but I
*certainly appreciate* any help you may provide.

It is a boatload of output, but this is what I see:

# dig news.ne.mediaone.net

; <<>> DiG 8.3 <<>> news.ne.mediaone.net 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL:
1
;; QUERY SECTION:
;;      news.ne.mediaone.net, type = A, class = IN

;; ANSWER SECTION:
news.ne.mediaone.net.   10M IN A        24.128.8.202

;; AUTHORITY SECTION:
news.ne.mediaone.net.   10M IN NS       ndpxy01.ne.mediaone.net.

;; ADDITIONAL SECTION:
ndpxy01.ne.mediaone.net.  54m14s IN A  24.128.60.7

;; Total query time: 21 msec
;; FROM: acadia.ne.mediaone.net to SERVER: default -- 24.218.0.229
;; WHEN: Tue Oct  9 00:40:20 2001
;; MSG SIZE  sent: 38  rcvd: 92

# sh /etc/rc.firewall
Starting firewalling... 
IPADDR: 65.96.185.189
NAMESERVER_1: 24.218.0.229
NAMESERVER_2: 24.218.0.228
NAMESERVER_3: 24.128.1.81
00100 allow ip from any to any in recv lo0
00200 allow ip from any to any out xmit lo0
00300 allow ip from 10.8.20.0/24 to any in recv fxp0
00400 allow ip from any to 10.8.20.0/24 out xmit fxp0
00500 allow ip from 209.192.210.0/24 to 65.96.185.189 in recv xl0
00600 allow ip from 209.58.140.0/24 to 65.96.185.189 in recv xl0
00700 divert 8668 ip from any to any via xl0
00800 deny log logamount 10 ip from 255.255.255.255 to any in recv xl0
00900 deny log logamount 10 ip from any to 0.0.0.0 in recv xl0
01000 deny log logamount 10 tcp from any to any 2049 in recv xl0 setup
01100 unreach host tcp from any to any 2049 out xmit xl0 setup
01200 deny log logamount 10 tcp from any to any 6000-6063 in recv xl0
setup
01300 unreach host tcp from any to any 6000-6063 out xmit xl0 setup
01400 deny log logamount 10 tcp from any to any 1080 in recv xl0 setup
01500 unreach host tcp from any to any 1080 out xmit xl0 setup
01600 deny log logamount 10 udp from any to any 2049 in recv xl0
01700 deny log logamount 10 udp from any 32769-65535 to any
33434-33523 in recv xl0
01800 allow udp from 65.96.185.189 1024-65535 to 24.218.0.229 53 out
xmit xl0
01900 allow udp from 24.218.0.229 53 to 65.96.185.189 1024-65535 in
recv xl0
02000 allow tcp from 65.96.185.189 1024-65535 to 24.218.0.229 53 out
xmit xl0
02100 allow tcp from 24.218.0.229 53 to 65.96.185.189 1024-65535 in
recv xl0 established
02200 allow udp from 65.96.185.189 1024-65535 to 24.218.0.228 53 out
xmit xl0
02300 allow udp from 24.218.0.228 53 to 65.96.185.189 1024-65535 in
recv xl0
02400 allow tcp from 65.96.185.189 1024-65535 to 24.218.0.228 53 out
xmit xl0
02500 allow tcp from 24.218.0.228 53 to 65.96.185.189 1024-65535 in
recv xl0 established
02600 allow udp from 65.96.185.189 1024-65535 to 24.128.1.81 53 out
xmit xl0
02700 allow udp from 24.128.1.81 53 to 65.96.185.189 1024-65535 in
recv xl0
02800 allow tcp from 65.96.185.189 1024-65535 to 24.128.1.81 53 out
xmit xl0
02900 allow tcp from 24.128.1.81 53 to 65.96.185.189 1024-65535 in
recv xl0 established
03000 allow tcp from any 1024-65535 to 65.96.185.189 80 in recv xl0
03100 allow tcp from 65.96.185.189 80 to any 1024-65535 out xmit xl0
established
03200 allow tcp from 65.96.185.189 1024-65535 to any 80 out xmit xl0
03300 allow tcp from any 80 to 65.96.185.189 1024-65535 in recv xl0
established
03400 allow tcp from any 1024-65535 to 65.96.185.189 443 in recv xl0
03500 allow tcp from 65.96.185.189 443 to any 1024-65535 out xmit xl0
established
03600 allow tcp from 65.96.185.189 1024-65535 to any 443 out xmit xl0
03700 allow tcp from any 443 to 65.96.185.189 1024-65535 in recv xl0
established
*** Can't find server name for address 24.218.0.229: Timed out

That last is the lookup you suggested, and I can confirm that it is
directly before the news.ne.mediaone.net rule.  The DNS servers are
opened up for port 53 above, though (or so I think).  Is there
something else that is killing the name lookups?

Thanks again!
Lou
-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Human beings were created by water to transport it uphill.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009005629.D589>