Mark wrote:
This is really wonky! I've tried all sorts of variations on the
following rules:
add pass tcp from any 53 to 10.0.0.0/24
add pass udp from any 53 to 10.0.0.0/24
add pass tcp from 10.0.0.0/24 to any 53
add pass udp from 10.0.0.0/24 to any 53
I'm assuming that you're not running a DNS cache on the firewall? So make
sure these rules come _after_ the divert rule.
You'll need keep-state's on the udp rules. Although tcp port 53 is
registered to DNS, I've never actually seen it used. Here are some
rules to try:
add pass udp from 10.0.0.0/24 to any 53 keep-state
add pass udp from any to any 53 keep-state via xx0 out
(replace xx0 with the name of your external interface)
The first should allow any DNS query initiated by your internal network to
pass into the firewall. The keep-state allows anything that was able to
pass in to pass back out. The second rule allows anything that gets into
your firewall to get out via the correct interface, and the keep state
makes sure it can get back in.
If you still have problems after this, post the entire firewall ruleset
(the output of 'ipfw show' after you've been trying DNS for a few minutes
would be most useful) It's hard to diagnose firewall problems without
all the rules to compare their interaction with each other.
--
Bill Moran
Potential Technologies
http://www.potentialtech.com
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
