Date: Fri, 30 Jul 1999 12:22:57 -0600 From: Oscar Bonilla <obonilla@fisicc-ufm.edu> To: "David B. Aas" <dave@ciminot.com> Cc: questions@freebsd.org, obonilla@fisicc-ufm.edu Subject: Re: FW: Need consulting help with v3.2 firewall configuration Message-ID: <19990730122256.A1784@fisicc-ufm.edu> In-Reply-To: <000401bed9ff$44528860$0fc8a8c0@dave.ciminot.com>; from David B. Aas on Thu, Jul 29, 1999 at 03:16:38PM -0500 References: <000401bed9ff$44528860$0fc8a8c0@dave.ciminot.com>
next in thread | previous in thread | raw e-mail | index | archive | help
AFAICS you're not allowing your clients to do DNS queries... see below
On Thu, Jul 29, 1999 at 03:16:38PM -0500, David B. Aas wrote:
> Whoops!
>
> I forgot to include my rules. Sorry for the extra email.
>
> # Setup system for firewall service.
> # $Id: rc.firewall,v 1.19.2.1 1999/02/10 18:08:38 jkh Exp $
> # Customized by Dave Aas 1999/07/20
>
> # Suck in the configuration variables.
> if [ -f /etc/defaults/rc.conf ]; then
> . /etc/defaults/rc.conf
> elif [ -f /etc/rc.conf ]; then
> . /etc/rc.conf
> fi
>
> # Flush out the list before we begin.
> ipfw -f flush
>
> # Divert internal ip addresses
> ipfw add 100 divert natd all from any to any via ${natd_interface}
>
> # Allow all outbound traffic
> ipfw add 150 allow all from any to any out
>
> # Only in rare cases do you want to change these rules
> ipfw add 200 pass all from any to any via lo0
> ipfw add 300 deny all from any to 127.0.0.0/8
>
> # Stop spoofing
> ipfw add 400 deny all from ${inet}:${imask} to any in via ${oif}
> ipfw add 500 deny all from ${onet}:${omask} to any in via ${iif}
>
> # Allow TCP through if setup succeeded
> ipfw add 600 pass tcp from any to any established
>
> # Allow setup of incoming email
> ipfw add 700 pass tcp from any to ${oip} 25 setup
> ipfw add 710 allow tcp from any to any 110 setup
>
> # Allow access to our DNS
> ipfw add 800 pass tcp from any to ${oip} 53 setup
this says let my machine talk to DNS servers on the internet for
zone transfers (TCP)
>
> # Allow access to our WWW
> ipfw add 900 pass tcp from any to ${oip} 80 setup
>
> # Other webserver traffic
> ipfw add 910 allow tcp from any to ${oip} 80 in via ${oif}
> ipfw add 920 allow tcp from any to ${oip} 3128 in via ${oif}
>
> # Allow setup of outgoing TCP connections only
> ipfw add 1000 allow tcp from ${oip}:${omask} to any setup
> ipfw add 1100 allow tcp from ${iip}:${imask} to any setup
>
> # Allow maintenance from CI
> ipfw add 1200 allow tcp from ${maintip} to ${oip} 21 setup
> ipfw add 1300 allow tcp from ${maintip} to ${oip} 23 setup
>
> # Allow DNS queries out in the world
> ipfw add 1400 pass udp from any 53 to ${oip}
> ipfw add 1500 pass udp from ${oip} to any 53
this says allow my server to ask DNS queries from the internet.
You should add a rule saying "let my clients do DNS queries"
I would change those previous two rules for
ipfw add 1400 pass udp from any 53 to any
ipfw add 1500 pass udp from any to any 53
regards,
-Oscar
--
For PGP Public Key: finger obonilla@fisicc-ufm.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990730122256.A1784>