From owner-freebsd-questions Tue Feb 17 16:45:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA02086 for freebsd-questions-outgoing; Tue, 17 Feb 1998 16:45:38 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from blacksun.net.au (blacksun-gw.blacksun.net.au [202.21.8.125]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01982 for ; Tue, 17 Feb 1998 16:44:46 -0800 (PST) (envelope-from ahill@blacksun.net.au) Received: from blacksun.net.au (darkstar.blacksun.net.au [210.8.131.129]) by blacksun.net.au (8.8.5/8.8.5) with SMTP id JAA04929; Wed, 18 Feb 1998 09:43:27 +1100 (EST) Date: Wed, 18 Feb 1998 09:43:26 +1100 (EST) From: Anthony Hill To: questions@FreeBSD.ORG cc: doug@connect.com.au Subject: keep state keyword for ipfw Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Whats a good way of allowing DNS queries and zone transfer requests out (and the responses back) through an ipfw filter ? As I understand it, a query goes from UDP port 53 to some random high UDP port on the name server. The name server then responds with a UDP packet from port 53 destined for the same high UDP port on the machine. Using these ipfilter rules :- # Pass out domain requests to our servers # pass out quick proto udp from any to nameserver/32 port = domain # # Keep the state and log domain requests going to other servers # pass out log first quick proto udp from any to any port = domain keep state ..I belive the "keep state" bit gets a temporary rule put in place that will allow UDP back from port 53 to the same port that the request went out on. .Sooo - does ipfw have functionality similar to ipfilter's keep state, and if not, how do you go about allowing the response back in ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message