Hi Ruben, Thanks much for the reply - comments inline..., > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state > > This last rule is bogus. From ipfw(8): > > setup Matches TCP packets that have the SYN bit set but no ACK bit. > This is the short form of ``tcpflags syn,!ack''. > > "setup" is not supposed to work for UDP packets. there is no handshake as > in tcp connections.
Okay, I see what you mean about rule 00619 (probably explains why this rule never appears in ipfw l), and as such, I have three questions based on rule 00619 being bogus: 1] Is this the reason why I am unable to query root-servers? 2] Do I remove it completely - would ipfw still be secure without it completely? 3] If not, should I just amend as: <BEFORE> $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state <AFTER> Based on ipfw (8): ####################################################################### A similar approach can be used for UDP, where an UDP packet coming from the inside will install a dynamic rule to let the response through the firewall: ipfw add check-state ipfw add allow udp from my-subnet to any ipfw add deny udp from any to any ######################################################################## $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state CHANGE TO: $fwcmd add allow udp from any to any 53 out via $oif $fwcmd add deny udp from any to any 53 in via $oif I'm basing the above amendments based on: I have a check-state at rule 00500 >From the make up of my rule-set, I do not have a rule and explicitly denies udp to port 53 per-se. More clearly, I have these deny rules in place at the moment: $ grep -i deny fwrules $fwcmd add 00020 deny log ip from me to any in $fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin $fwcmd add 00100 deny udp from any to any 520 in via $oif $fwcmd add 00502 deny all from any to any frag $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00850 deny log ip from me to me in via $oif $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $fwcmd add 00900 deny log all from any to any in via $oif $fwcmd add 00910 deny log logamount 500 ip from any to any $ None of which explicitly applies to DNS. I make this point as there *are* udp packets I want to allow in via $oif - 137 - 139 Thanks again for the reply Ruben. If I'm not clear enough in my explanations, I'm quite happy to post my complete rule-set to you (off-list) if you need it to get a better picture. Cheers! Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > On Sun, Oct 27, 2002 at 03:24:07PM +0000, Stacey Roberts typed: > > Hello, > > I don't know if this is related to post earlier today [FBSD 4.7 > > reset itself - lots of "DENY UDP" messages in /var/log/security], but > > I've been trying to trouble shoot the "DENY" messages in > > /var/log/security using dig: > > > > # dig . ns @b.root-servers.net > > > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > > ; (1 server found) > > ;; res options: init recurs defnam dnsrch > > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > > refused > > # > > I get connection refused for this. Checking security: > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP <snip>:1381 > > 128.9.0.107:53 out via sis0 > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1<snip>:1382 > > 128.9.0.107:53 out via sis0 > > # <snip> > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > > > > Why am I not able to query root servers, given my rules 00618 & 00619? > > > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > > > > TIA > > > > Stacey > > > > > > > > -- > > Stacey Roberts > > B.Sc (HONS) Computer Science > > > > Web: www.vickiandstacey.com > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com
signature.asc
Description: This is a digitally signed message part
