From owner-freebsd-questions@FreeBSD.ORG  Sun Apr 27 08:59:07 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5F4FD37B404
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Apr 2003 08:59:07 -0700 (PDT)
Received: from mail.dubium.com (h24-78-226-8.vn.shawcable.net [24.78.226.8])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3861A43F85
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Apr 2003 08:59:06 -0700 (PDT)
	(envelope-from joe-joe@dubium.com)
Received: (qmail 88281 invoked from network); 27 Apr 2003 15:59:23 -0000
Received: from localhost (HELO sigfried.dubium.com) ([127.0.0.1])
          (envelope-sender <joe-joe@dubium.com>)
          by 0 (qmail-ldap-1.03) with SMTP
          for <freebsd-questions@freebsd.org>; 27 Apr 2003 15:59:23 -0000
Received: from sigfried (sigfried.dubium.com [192.168.0.201]) by
	sigfried.dubium.com (tmda-ofmipd) with ESMTP;
	Sun, 27 Apr 2003 08:59:22 -0700
Received: from 192.168.0.1 (SquirrelMail authenticated user joe@dubium.com)
	by sigfried with HTTP; Sun, 27 Apr 2003 08:59:22 -0700 (PDT)
Message-ID: <1868.192.168.0.1.1051459162.squirrel@sigfried>
Date: Sun, 27 Apr 2003 08:59:22 -0700 (PDT)
To: freebsd-questions@freebsd.org
User-Agent: SquirrelMail/1.4.0
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
X-Priority: 3
Importance: Normal
From: Joe Sotham <joe-dated-1052063962.072fd5@dubium.com>
X-Delivery-Agent: TMDA/0.75 (Ponder)
Subject: modifying ipfw rules to accompany dnscache install
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Apr 2003 15:59:07 -0000

My firewall starts with the everything denied principle. I was using the following
rules to allow udp packets to/fro my private netwo:
dns1 and dns2 are my service provider's nameserver ip addresses.

<snip>
${fwcmd} add 400 pass udp from any to ${dns1} 53
${fwcmd} add 400 pass udp from any to ${dns2} 53
${fwcmd} add 400 pass udp from ${dns1} 53 to any
${fwcmd} add 400 pass udp from ${dns2} 53 to any
<snip>

After installing dnscache I have had to open the ruleset up a little.
I am wondering if the following rule can be tightened up a little.

${fwcmd} add 400 pass udp from any to any 53 keep-state

-- 
Joe Sotham