On Sat, 2003-03-01 at 07:17, Bill Moran wrote:
> Mark wrote:
> > This is really wonky! I've tried all sorts of variations on the
> > following rules:
> >
> > add pass tcp from any 53 to 10.0.0.0/24
> > add pass udp from any 53 to 10.0.0.0/24
> > add pass tcp from 10.0.0.0/24 to any 53
> > add pass udp from 10.0.0.0/24 to any 53
>
> I'm assuming that you're not running a DNS cache on the firewall? So make
> sure these rules come _after_ the divert rule.
>
> You'll need keep-state's on the udp rules. Although tcp port 53 is
> registered to DNS, I've never actually seen it used. Here are some
> rules to try:
>
> add pass udp from 10.0.0.0/24 to any 53 keep-state
> add pass udp from any to any 53 keep-state via xx0 out
That appears to have done the trick, thanks very much! That
keep-state appears to be the key that I wasn't quite understanding.
Now, we'll just hope I don't run into the same problem with FreeBSD 4.3
where after a week of running like this, DNS queries would
suddenly stop getting through until I flushed and reset the firewall.
Thanks again!
ciao,
Mark.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
