Date: Tue, 10 May 2005 11:37:30 +0100 (BST) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: Fafa Hafiz Krantz <fteg@london.com> Cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... Message-ID: <Pine.GSO.4.62.0505101128120.11141@mail.ilrt.bris.ac.uk> In-Reply-To: <20050510102350.78EB24BEAD@ws1-1.us4.outblaze.com> References: <20050510102350.78EB24BEAD@ws1-1.us4.outblaze.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 May 2005, Fafa Hafiz Krantz wrote:
> Ok, after having added that it seems that my DNS works.
> The same goes for my WWW and mail server.
>
> SSH servers are all OK to connect to.
>
> I have to wait like 5 minutes after booting my computer
> before I can connect to those certain FTP sites. What's
> that all about?
>
> > If you add the "query-source address * port 53;" to your named.conf
> > "options" section, that'll suffice; additionally, since your DNS query
> > source port is then predictable, you can drop it from the DNS and NTP
> > rule.
>
> What do you mean by that?
The rules I suggested are so that external machines can talk to your DNS
server (querying about the domain it is authoritative for), and so that
responses can get back to those machines.
Your nameserver, however, may also be trying to get requests out. When
it does this, by default, it will use a random source-port. By
specifying
options {
query-source address * port 53;
}
in your named.conf, your nameserver will _also_ use port 53 as the
source port on any requests _that it originates_. (That's the
distinction). If you do this, then you won't need port 53 mentioned in
your other "keep state" rule.
I suspect that this might actually be the cause of your transient FTP
concern; you should try modifying your nameserver config before you go
any further.
(This assumes that your resolv.conf is configured to use the local
machine as a nameserver in the first instance. If that is not the case,
then you will still need the port 53 clause in your "DNS and NTP"
section, because other programs will use random ports in an attempt to
get DNS queries out into the wild.)
> Anyway, it's pretty close to perfection now :)
>
> Jan, any idea how I can simplify my ruleset?
> Also, I'm wondering if I can move the NAT part down below the Outgoing
> so I can combine it with the Active FTP ruleset so they don't have to be
> spread troughout the conf. Thanks!
Your ruleset looks pretty simple, to be honest.
I'm afraid that where the specifics of PF are concerned, I know nothing:
the advice I've given you is just generic firewall stuff :-/ It looks to
me like your PF config is set up to use some kind of FTP proxy running
on localhost:8021. On the other hand, I could be barking up the wrong
tree completely; I've pretty much run out of useful things to say about
this config.
Cheers,
jan
--
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/
Prolog in JavaScript: http://ioctl.org/logic/prolog-latest
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.62.0505101128120.11141>