On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote:
Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY?You forget keep-state. You rule should be:
[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in
/var/log/security
From: Stacey Roberts <[EMAIL PROTECTED]>
To: Ruben de Groot <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED],
FreeBSD Questions <[EMAIL PROTECTED]>
Date: 27 Oct 2002 18:29:16 +0000
Okay,
I've been hacking about with my ipfw rules in order to nail this
down, but I'm still coming up against a wall here..,
I've made this change:
# Allow out access to Internet Domain name server
$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup
keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup
keep-state <==== <COMMENTED THIS OUT>
$fwcmd add 00618 allow udp from any to any 53 out via $oif
$fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state
^
|
PUT THIS IN INSTEAD
Now I try to query a root-server, I still get stopped by the firewall:
# date
Sun Oct 27 18:19:35 GMT 2002
# dig . ns @b.root-servers.net
; <<>> DiG 8.3 <<>> . ns @b.root-servers.net ; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed
out
Checking logs:
# tail /var/log/security
<snip>
Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53
192.168.1.8:1642 in via sis0
#
The previous posted (see below) informed me that using setup /
keep-state with udp is wrong. Given the changes I've made above, what
are the magic statements to allow my to query the root servers and allow
their responses back in?
TIA
Stacey
On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:
<snip>
> > Verifying relevant ipfw rules:
> # Allow out access to Internet Domain name server
> $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> keep-state > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> keep-state
This last rule is bogus. From ipfw(8):
setup Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of ``tcpflags syn,!ack''.
"setup" is not supposed to work for UDP packets. there is no handshake as in tcp connections.
> > Checking ipfw rule 910:
> $fwcmd add 00910 deny log logamount 500 ip from any to any
> > Why am I not able to query root servers, given my rules 00618 & 00619? > > I'd appreciate someone helping me out here., (or hitting me over the
> head if I'm missing something simple and glaringly obvious)
> > TIA > > Stacey
> > > > -- > Stacey Roberts
> B.Sc (HONS) Computer Science
> > Web: www.vickiandstacey.com
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
-- Stacey Roberts B.Sc (HONS) Computer ScienceWeb: www.vickiandstacey.com
-- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
