Date: Sun, 1 Aug 2004 01:43:13 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: JJB <Barbish3@adelphia.net> Cc: freebsd-questions@freebsd.org Subject: Re: Firewall Rule Set not allowing access to DNS servers? Message-ID: <20040731224313.GA1048@gothmog.gr> In-Reply-To: <MIEPLLIBMLEEABPDBIEGEEDEGIAA.Barbish3@adelphia.net> References: <20040731173613.GA30298@gothmog.gr> <MIEPLLIBMLEEABPDBIEGEEDEGIAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Message reformatted to fix Outlook format --] On 2004-07-31 14:17, JJB <Barbish3@adelphia.net> wrote: >Giorgos Keramidas wrote on July 31, 2004 1:36 PM >>On 2004-07-31 12:08, "James A. Coulter" <james.coulter@cox.net wrote: >>> My LAN is configured with static IP addresses, 192.168.1.x. >>> >>> I have no problems communicating within the LAN. >>> >>> I have full connectivity with the internet from every machine on >>> my LAN when the firewall is open. >>> >>> When I use the rule set in question, I can ping and send mail but >>> I cannot access the DNS servers listed in resolv.conf. >> >> There are many ways in which your ruleset might break. Two of the >> most important comments I wanted to make when I first saw the posts >> of this thread are: [...] >> >> b) Why do you use so many rules that 'filter' outgoing traffic? >> >> I saw smtp, pop3, time, http, https and many others. You >> don't need to explicitly allow outgoing connections unless >> the users in the internal LAN are not to be trusted at all >> and even then IPFW is most of the time not the right way to >> do it. > > If you had read the start of the thread you would have read the new > handbook firewall section rewrite which explains in detail why there > are rules to control access to the public internet from LAN users. I've read a very detailed guide that you wrote, linked by one of your posts and available online at: http://freebsd.a1poweruser.com:6088/FBSD_firewall/ This guide contains a great deal of useful information and it would be cool if it was somehow incorporated to the Handbook. It's not yet, but I like most of the text so I hope it gets converted to SGML and added to the Handbook either in parts or as a whole. If by "... which explains in detail why..." you refer to this particular quote from that document, I'm not sure that it is always a good idea but that's my own opinion: "The Outbound section in the following rule set only contains `pass' rules which contain selection values that uniquely identify the service that is authorized for public internet access." In a corporate environment, where access to the Internet has to be limited and/or controlled in a more or less strict manner, it looks like a great idea. At home, where a couple of machines share a single Internet connection through a dialup or DSL line, this might be a bit too limiting ;-) - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040731224313.GA1048>