From owner-freebsd-questions@FreeBSD.ORG Mon Jan 17 20:42:26 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B48B16A4CE for ; Mon, 17 Jan 2005 20:42:26 +0000 (GMT) Received: from ms-smtp-01-eri0.southeast.rr.com (ms-smtp-01-lbl.southeast.rr.com [24.25.9.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE2F243D46 for ; Mon, 17 Jan 2005 20:42:25 +0000 (GMT) (envelope-from AJGurdian@lanoticia.com) Received: from [192.168.1.129] (rrcs-24-123-190-214.se.biz.rr.com [24.123.190.214])j0HKgMKj023618; Mon, 17 Jan 2005 15:42:23 -0500 (EST) In-Reply-To: References: <20050116153513.WNGG29966.viefep20-int.chello.at@hyperduron> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Message-Id: <3234D062-68C8-11D9-BEF4-000A9592DF7A@lanoticia.com> Content-Transfer-Encoding: quoted-printable From: "=?ISO-8859-1?Q?Alvaro_J._Gurdi=E1n?=" Date: Mon, 17 Jan 2005 15:41:42 -0500 To: =?ISO-8859-1?Q? "Alvaro_J._Gurdi=E1n" ?= X-Mailer: Apple Mail (2.619) X-Virus-Scanned: Symantec AntiVirus Scan Engine cc: FreeBSD-Questions Questions Subject: Re: IPF firewalling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 20:42:26 -0000 correction, I meant pass out quick on rl0 proto tcp from any to any port =3D 53 keep state=20= frags pass out quick on rl0 proto udp from any to any port =3D 53 keep state=20= frags I did it in kind of a hurry. On Jan 17, 2005, at 3:33 PM, Alvaro J. Gurdi=E1n wrote: > If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK,=20= > then you need to explicitly allow each service to leave the interface,=20= > as well as come in thru the interface. For example add: > pass in quick proto tcp from any to any port =3D 53 keep state keep = keep=20 > state frags > pass in quick proto udp from any to any port =3D 53 keep state keep = frags > > this allows the the computer to attempt to contact the DNS server=20 > upstream from it. > > Hope this helps, > Alvaro Gurdi=E1n Jr. > > > On Jan 16, 2005, at 10:35 AM, K=F6vesd=E1n G=E1bor wrote: > >> Hi, >> >> I have some trouble with the ipf configuration. I made the following >> ruleset: >> >> pass in quick on rl0 proto udp from any to any port =3D 68 keep state >> pass in quick proto udp from any to any port =3D 53 keep state keep=20= >> frags >> pass in quick on rl0 proto tcp/udp from any to any port =3D 42 keep=20= >> state keep >> frags >> pass in quick on rl0 proto tcp from any to any port =3D 22 flags S = keep=20 >> state >> pass in quick on rl0 proto tcp from any to any port =3D 25 keep state >> pass in quick on rl0 proto tcp from any to any port =3D 21 keep state >> pass in quick on rl0 proto tcp from any to any port =3D 20 keep state >> pass in quick on rl0 proto tcp from any to any port =3D 80 keep state >> >> >> block return-rst in log quick on rl0 proto tcp from any to any >> block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp=20 >> from any >> to any >> block in quick on rl0 all >> >> pass in quick on lo0 all >> pass out quick on lo0 all >> >> >> >> Everything seems okay, but the named. Neiher the ISP's nameserver=20 >> (set by >> the dhcp) nor the local nameserver works. BIND 9 wrote this to >> /var/log/messages: >> >> Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t >> /usr/local/named -c /etc/named.conf >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20= >> address >> in use >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0=20 >> failed; >> interface ignored >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:=20= >> address >> in use >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0=20 >> failed; >> interface ignored >> Jan 16 13:59:35 server named[1028]: not listening on any interfaces >> Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add=20= >> command >> channel 127.0.0.1#953: address in >> use >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: >> permission denied >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0=20 >> failed; >> interface ignored >> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: >> permission denied >> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0=20 >> failed; >> interface ignored >> >> >> The rndc doesn't matter, I'm not going to use it, but the neither=20 >> named can >> listen on the network and the loopback interface. Could You suggest=20= >> me any >> solution for this trouble? Btw, this machine is going to be a web,=20 >> dns, >> mail, etc. server and is being tested on an ordinary cable = connection, >> that's why I'm using dhcp. >> >> Best regards, >> >> G=E1bor K=F6vesd=E1n >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to=20 >> "freebsd-questions-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >