Barney Wolff wrote:
On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote:
I'm using the `simple' template in /etc/rc.firewall to allow LAN to access the Internet from behind the firewall (FreeBSD-stable).
There is a rule there:
# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state
Probably this should be a bit safer:
${fwcmd} add pass udp from ${inet} to any 53 keep-state out via de0All routers/servers from Internet does not work with 192.168 like networks since any body can use suchand, indeed, the firewall machine itself has no problems accessing the outside name servers.
However, when the LAN-machine(s) try it, the queries time out, while the firewall machine logs the following:
ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0
addresses, so this could be you problem.
As I understand this, keep-state wouldn't allow any connection to you from port 53, till youAll HOWTOs out there imply running a local nameserver on the firewall machine. Is there a way to go without that, but also without opening the firewall up to _all_ UDP packets, which happen to originate from port 53?
What's the meaning of the "keep-state" clause in the rule above? I
thought, it "magically" allows DNS-responses to come back only, but that
does not work...
Do ipfw show and see if the keep-state rule is ever triggering - perhaps
some rule before it is already allowing the outgoing packets.
send any UDP packet to that machine for port 53.
rik
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
