Date: Mon, 17 Jan 2005 15:41:42 -0500 From: "=?ISO-8859-1?Q?Alvaro_J._Gurdi=E1n?=" <AJGurdian@lanoticia.com> To: =?ISO-8859-1?Q? "Alvaro_J._Gurdi=E1n" ?= <AJGurdian@lanoticia.com> Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: IPF firewalling Message-ID: <3234D062-68C8-11D9-BEF4-000A9592DF7A@lanoticia.com> In-Reply-To: <FB5C0C34-68C6-11D9-BEF4-000A9592DF7A@lanoticia.com> References: <20050116153513.WNGG29966.viefep20-int.chello.at@hyperduron> <FB5C0C34-68C6-11D9-BEF4-000A9592DF7A@lanoticia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
correction, I meant pass out quick on rl0 proto tcp from any to any port =3D 53 keep state=20= frags pass out quick on rl0 proto udp from any to any port =3D 53 keep state=20= frags I did it in kind of a hurry. On Jan 17, 2005, at 3:33 PM, Alvaro J. Gurdi=E1n wrote: > If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK,=20= > then you need to explicitly allow each service to leave the interface,=20= > as well as come in thru the interface. For example add: > pass in quick proto tcp from any to any port =3D 53 keep state keep = keep=20 > state frags > pass in quick proto udp from any to any port =3D 53 keep state keep = frags > > this allows the the computer to attempt to contact the DNS server=20 > upstream from it. > > Hope this helps, > Alvaro Gurdi=E1n Jr. > > > On Jan 16, 2005, at 10:35 AM, K=F6vesd=E1n G=E1bor wrote: > >> Hi, >> >> I have some trouble with the ipf configuration. I made the following >> ruleset: >> >> pass in quick on rl0 proto udp from any to any port =3D 68 keep state >> pass in quick proto udp from any to any port =3D 53 keep state keep=20= >> frags >> pass in quick on rl0 proto tcp/udp from any to any port =3D 42 keep=20= >> state keep >> frags >> pass in quick on rl0 proto tcp from any to any port =3D 22 flags S = keep=20 >> state >> pass in quick on rl0 proto tcp from any to any port =3D 25 keep state >> pass in quick on rl0 proto tcp from any to any port =3D 21 keep state >> pass in quick on rl0 proto tcp from any to any port =3D 20 keep state >> pass in quick on rl0 proto tcp from any to any port =3D 80 keep state >> >> >> block return-rst in log quick on rl0 proto tcp from any to any >> block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp=20 >> from any >> to any >> block in quick on rl0 all >> >> pass in quick on lo0 all >> pass out quick on lo0 all >> >> >> >> Everything seems okay, but the named. Neiher the ISP's nameserver=20 >> (set by >> the dhcp) nor the local nameserver works. BIND 9 wrote this to >> /var/log/messages: >> >> Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t >> /usr/local/named -c /etc/named.conf >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20= >> address >> in use >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0=20 >> failed; >> interface ignored >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20= >> address >> in use >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0=20 >> failed; >> interface ignored >> Jan 16 13:59:35 server named[1028]: not listening on any interfaces >> Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add=20= >> command >> channel 127.0.0.1#953: address in >> use >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: >> permission denied >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0=20 >> failed; >> interface ignored >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: >> permission denied >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0=20 >> failed; >> interface ignored >> >> >> The rndc doesn't matter, I'm not going to use it, but the neither=20 >> named can >> listen on the network and the loopback interface. Could You suggest=20= >> me any >> solution for this trouble? Btw, this machine is going to be a web,=20 >> dns, >> mail, etc. server and is being tested on an ordinary cable = connection, >> that's why I'm using dhcp. >> >> Best regards, >> >> G=E1bor K=F6vesd=E1n >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to=20 >> "freebsd-questions-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3234D062-68C8-11D9-BEF4-000A9592DF7A>