> My LAN is configured with static IP addresses, 192.168.1.x. > > I have no problems communicating within the LAN. > > I have full connectivity with the internet from every machine on my > LAN when > the firewall is open. > > When I use the rule set in question, I can ping and send mail but I > cannot > access the DNS servers listed in resolv.conf. > > These are the same DNS servers placed in resolv.conf when the firewall > is > open. > > I'm sorry, but I never said dc1 was my inside nic. > > Again, I appreciate any help with this. The files you requested > follow.
Must admit, I'm in a hurry to leave for the day, so I haven't read the ruleset etc, but what happens if you use the following entries, just after the divert rule?: ...allow udp from any to any 53 keep-state ...allow udp from any 53 to any keep-state ...allow tcp from any to any 53 keep-state Steve > > Here's my ifconfig - a: > > sara# ifconfig -a > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 > ether 00:04:5a:76:55:f0 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 > inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255 > ether 00:a0:cc:33:e1:f6 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet 127.0.0.1 netmask 0xff000000 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500 > > Here's resolv.conf: > > sara# more /etc/resolv.conf > search pn.at.cox.net > nameserver 68.105.161.20 > nameserver 68.1.18.25 > nameserver 68.10.16.30 > > Here's the entire rule set I'm trying to use. > > I did follow the comments. > > Please note the variable pif is set to dc1, my outside nic. > > ################ Start of IPFW rules file > ############################### > # Flush out the list before we begin. > ipfw -q -f flush > # Set rules command prefix > cmd="ipfw -q add" > skip="skipto 800" > pif="dc1" # public interface name of Nic card > # facing the public internet > > > > ################################################################# > # No restrictions on Inside Lan Interface for private network > # Change xl0 to your Lan Nic card interface name > ################################################################# > $cmd 005 allow all from any to any via dc0 > > ################################################################# > # No restrictions on Loopback Interface > ################################################################# > $cmd 010 allow all from any to any via lo0 > > ################################################################# > # check if packet is inbound and nat address if it is > ################################################################# > $cmd 014 divert natd ip from any to any in via $pif > > ################################################################# > # Allow the packet through if it has previous been added to the > # the "dynamic" rules table by a allow keep-state statement. > ################################################################# > $cmd 015 check-state > > ################################################################# > # Interface facing Public internet (Outbound Section) > # Interrogate session start requests originating from behind the > # firewall on the private network or from this gateway server > # destine for the public internet. > ################################################################# > > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup > keep-state > $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup > keep-state > $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup > keep-state > > # Allow out access to my ISP's DHCP server for cable/DSL > configurations. > $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state > > # Allow out non-secure standard www function > $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state > > # Allow out secure www function https over TLS SSL > $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state > > # Allow out send & get email function > $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state > $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state > > # Allow out FBSD (make install & CVSUP) functions > # Basically give user root "GOD" privileges. > $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid > root > > # Allow out ping > $cmd 080 $skip icmp from any to any out via $pif keep-state > > # Allow out Time > $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state > > # Allow out nntp news (IE: news groups) > $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state > > # Allow out secure FTP, Telnet, and SCP > # This function is using SSH (secure shell) > $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state > > # Allow out whois > $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state > > # Allow ntp time server > $cmd 130 $skip udp from any to any 123 out via $pif keep-state > > ################################################################# > # Interface facing Public internet (Inbound Section) > # Interrogate packets originating from the public internet > # destine for this gateway server or the private network. > ################################################################# > > # Deny all inbound traffic from non-routable reserved address spaces > $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 > private > IP > $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 > private > IP > $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 > private > IP > $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback > $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback > $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP > auto-config > $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved > for > doc's > $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun > cluster > $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & > E > multicast > > # Deny ident > $cmd 315 deny tcp from any to any 113 in via $pif > > # Deny all Netbios service. 137=name, 138=datagram, 139=session > # Netbios is MS/Windows sharing services. > # Block MS/Windows hosts2 name server requests 81 > $cmd 320 deny tcp from any to any 137 in via $pif > $cmd 321 deny tcp from any to any 138 in via $pif > $cmd 322 deny tcp from any to any 139 in via $pif > $cmd 323 deny tcp from any to any 81 in via $pif > > # Deny any late arriving packets > $cmd 330 deny all from any to any frag in via $pif > > # Deny ACK packets that did not match the dynamic rule table > $cmd 332 deny tcp from any to any established in via $pif > > # Allow traffic in from ISP's DHCP server. This rule must contain > # the IP address of your ISP's DHCP server as it's the only > # authorized source to send this packet type. > # Only necessary for cable or DSL configurations. > # This rule is not needed for 'user ppp' type connection to > # the public internet. This is the same IP address you captured > # and used in the outbound section. > $cmd 360 allow udp from 172.19.17.22 to any 68 in via $pif keep-state > > # Allow in standard www function because I have apache server > $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr > 2 > $cmd 370 allow tcp from any to me 8888 in via $pif setup limit > src-addr 2 > > # Allow in secure FTP, Telnet, and SCP from public Internet > $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr > 2 > > # Allow in non-secure Telnet session from public Internet > # labeled non-secure because ID & PW are passed over public > # internet as clear text. > # Delete this sample group if you do not have telnet server enabled. > # $cmd 390 allow tcp from any to me 23 in via $pif setup limit > src-addr 2 > > # Reject & Log all unauthorized incoming connections from the public > internet > $cmd 500 deny log all from any to any in via $pif > > # Reject & Log all unauthorized out going connections to the public > internet > > $cmd 550 deny log all from any to any out via $pif > > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out via $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > > ################ End of IPFW rules file > ############################### > > Here's all of today's security ouput: > > Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1649 > 193.0.14.129:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671 > 68.105.161.20:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1042 > 68.1.18.25:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4365 > 68.10.16.30:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365 > 68.105.161.20:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4325 > 68.1.18.25:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3378 > 68.10.16.30:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952 > 68.105.161.20:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1359 > 68.1.18.25:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4738 > 68.10.16.30:53 out via dc1 > Jul 31 07:50:37 sara /kernel: ipfw: limit 10 reached on entry 550 > Jul 31 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860 > 68.105.58.150:21 in via dc1 > Jul 31 07:51:51 sara last message repeated 2 times > Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3875 > 68.105.58.150:21 in via dc1 > Jul 31 07:53:24 sara last message repeated 2 times > Jul 31 07:53:32 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878 > 68.105.58.150:21 in via dc1 > Jul 31 07:53:41 sara last message repeated 2 times > Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3881 > 68.105.58.150:21 in via dc1 > Jul 31 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500 > Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.1.18.25:53 > 192.168.1.102:3232 in via dc1 > Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53 > 192.168.1.102:3232 in via dc1 > Jul 31 08:14:33 sara /kernel: ipfw: 65000 Deny UDP 10.2.184.1:67 > 255.255.255.255:68 in via dc1 > Jul 31 08:15:28 sara last message repeated 2 times > Jul 31 08:15:47 sara last message repeated 5 times > Jul 31 08:15:47 sara /kernel: ipfw: limit 10 reached on entry 65000 > Jul 31 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534 > 198.41.0.4:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 > 68.105.161.20:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 > 68.1.18.25:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 > 68.10.16.30:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4952 > 68.105.161.20:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2260 > 68.1.18.25:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087 > 68.10.16.30:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4914 > 68.105.161.20:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1849 > 68.1.18.25:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220 > 68.10.16.30:53 out via dc1 > Jul 31 08:31:21 sara /kernel: ipfw: limit 10 reached on entry 550 > > Here's rc.conf again: > > # -- sysinstall generated deltas -- > # Sun Jul 4 10:40:48 2004 > # Created: Sun Jul 4 10:40:48 2004 > # Enable network daemons for user convenience. > # Please make all changes to this file, not to /etc/defaults/rc.conf. > # This file now contains just the overrides from > /etc/defaults/rc.conf. > hostname="sara.mshome.net" > ifconfig_dc1="DHCP" > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" > firewall_enable="YES" firewall_script="/etc/ipfw.rules" > firewall_logging="YES" > kern_securelevel_enable="NO" > linux_enable="YES" > moused_enable="YES" > named_enable="YES" > nfs_client_enable="YES" > nfs_reserved_port_only="YES" > nfs_server_enable="YES" > sendmail_enable="YES" > sshd_enable="YES" > usbd_enable="YES" > ntpd_enable="YES" > inetd_enable="YES" > gateway_enable="YES" > natd_enable="YES" > natd_interface="dc1" > natd_flags="-dynamic" > > Here's dmesg.boot: > > Copyright (c) 1992-2004 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, > 1994 > The Regents of the University of California. All rights > reserved. > FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004 > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/SARA > Timecounter "i8254" frequency 1193182 Hz > CPU: Intel Celeron (634.78-MHz 686-class CPU) > Origin = "GenuineIntel" Id = 0x686 Stepping = 6 > > Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV, > PAT,PSE36,MMX,FXSR,SSE> > real memory = 134201344 (131056K bytes) > avail memory = 127057920 (124080K bytes) > Preloaded elf kernel "kernel" at 0xc0381000. > Pentium Pro MTRR support enabled > md0: Malloc disk > Using $PIR table, 8 entries at 0xc00f0e80 > npx0: <math processor> on motherboard > npx0: INT 16 interface > pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard > pci0: <PCI bus> on pcib0 > agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem > 0xe4000000-0xe7ffffff > at device 0.0 on pci0 > pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at device 1.0 on > pci0 > pci1: <PCI bus> on pcib1 > pci1: <ATI Mach64-GB graphics accelerator> at 0.0 irq 11 > isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0 > isa0: <ISA bus> on isab0 > atapci0: <Intel PIIX4 ATA33 controller> port 0xb800-0xb80f at device > 4.1 on > pci0 > ata0: at 0x1f0 irq 14 on atapci0 > ata1: at 0x170 irq 15 on atapci0 > uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xb400-0xb41f > irq 9 at > device 4.2 on pci0 > usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0 > usb0: USB revision 1.0 > uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 > uhub0: 2 ports with 2 removable, self powered > chip0: <Intel 82371AB Power management controller> port 0xe800-0xe80f > at > device 4.3 on pci0 > dc0: <ADMtek AN985 10/100BaseTX> port 0xb000-0xb0ff mem > 0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0 > dc0: Ethernet address: 00:04:5a:76:55:f0 > miibus0: <MII bus> on dc0 > ukphy0: <Generic IEEE 802.3u media interface> on miibus0 > ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > dc1: <LC82C115 PNIC II 10/100BaseTX> port 0xa800-0xa8ff mem > 0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0 > dc1: Ethernet address: 00:a0:cc:33:e1:f6 > miibus1: <MII bus> on dc1 > dcphy0: <Intel 21143 NWAY media interface> on miibus1 > dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto > isa0: too many dependant configs (8) > isa0: unexpected small tag 14 > orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0 > pmtimer0 on isa0 > fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on > isa0 > fdc0: FIFO enabled, 8 bytes threshold > fd0: <1440-KB 3.5" drive> on fdc0 drive 0 > atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 > atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0 > kbd0 at atkbd0 > vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on > isa0 > sc0: <System console> at flags 0x100 on isa0 > sc0: VGA <16 virtual consoles, flags=0x300> > sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 > sio0: type 16550A > sio1 at port 0x2f8-0x2ff irq 3 on isa0 > sio1: type 16550A > ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 > ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode > ppc0: FIFO with 16/16/9 bytes threshold > plip0: <PLIP network interface> on ppbus0 > lpt0: <Printer> on ppbus0 > lpt0: Interrupt-driven port > ppi0: <Parallel I/O> on ppbus0 > IP packet filtering initialized, divert enabled, rule-based forwarding > enabled, default to deny, logging limited to 10 packets/entry by > default > ad0: DMA limited to UDMA33, non-ATA66 cable or device > ad0: 19623MB <IBM-DTLA-305020> [39870/16/63] at ata0-master UDMA33 > acd0: CDROM <SONY CD-ROM CDU4821> at ata0-slave PIO4 > Mounting root from ufs:/dev/ad0s1a > > Thanks, > > Jim C. > > > >> -----Original Message----- >> From: JJB [mailto:[EMAIL PROTECTED] >> Sent: Saturday, July 31, 2004 10:28 AM >> To: James A. Coulter; [EMAIL PROTECTED] >> Subject: RE: Firewall Rule Set not allowing access to DNS servers? >> >> >> You better re-read what you posted in early post. You posted >> that dc1 is your outside NIC, which is connected to your >> cable modem which is connected to your ISP. Your outside NIC >> needs DHCP to get ip and dns info from your ISP. NOW YOU SAY >> dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. >> >> Verify you have correct interface name coded in ipfw rules >> for NIC connected to cable modem and that the same NIC >> interface name is the one in rc.conf with DHCP option. When >> DHCP gets DNS info from ISP /etc/resolv.conf will auto >> updated with correct info. Read comments in sample firewall >> source and follow what comments say. You are making this >> harder than it really is. >> >> Also there is no setup option on UDP packets just keepstate >> >> Post full contents of your current dmesg.boot, rc.conf, ipfw >> rule set, and ipfw log files so people can see just want you >> have configured. And answer question of how you are >> assigning ip address to LAN PCs? Also post output of ifconfig >> -a command after boot completes. >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of >> James A. Coulter >> Sent: Saturday, July 31, 2004 9:55 AM >> To: [EMAIL PROTECTED] >> Cc: [EMAIL PROTECTED] >> Subject: RE: Firewall Rule Set not allowing access to DNS servers? >> >> Thanks for the response. . . >> >> I changed rule 00005 from x10 to dc0 - thanks >> >> Not sure why I would want my inside nic requesting DHCP >> service from my ISP. It has been working fine in the >> configuration I have it so I've left it the way it is. >> >> I checked the security log, and found this: >> >> Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP >> 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 >> 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 >> 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: >> 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 >> >> These are the three name servers specified in the rule set >> >> I checked the rule set and found this: >> >> # Allow out access to my ISP's Domain name server. >> # x.x.x.x must be the IP address of your ISP's DNS >> # Dup these lines if your ISP has more than one DNS server >> # Get the IP addresses from /etc/resolv.conf file >> $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif >> setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 >> out via $pif setup keep-state $cmd 022 $skip tcp from any to >> 68.10.16.30 53 out via $pif setup keep-state >> >> Because security said the firewall was denying UDP packets, I >> changed the rules to this: >> >> $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif >> setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 >> out via $pif setup keep-state $cmd 022 $skip udp from any to >> 68.10.16.30 53 out via $pif setup keep-state >> >> But that hasn't helped. I'm still getting: >> >> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP >> 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 >> 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 >> 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: >> 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 >> >> FWIW, these rules are skipping to: >> >> # This is skipto location for outbound stateful rules >> $cmd 800 divert natd ip from any to any out via $pif >> $cmd 801 allow ip from any to any >> >> I apologize for being such a bother and I do appreciate any >> help or suggestions. >> >> TIA >> >> Jim C. >> >> >> >> > -----Original Message----- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] On Behalf Of JJB >> > Sent: Friday, July 30, 2004 1:20 PM >> > To: James A. Coulter; [EMAIL PROTECTED] >> > Subject: RE: Firewall Rule Set not allowing access to DNS servers? >> > >> > >> > Change this ipfw rule from >> > >> > 00005 allow ip from any to any via xl0 >> > >> > To >> > 00005 allow ip from any to any via dc0 >> > >> > because dc0 is the lan interface name and not xl0. >> > >> > >> > Change these statement in rc.conf because you have interface name >> > backwards. Dc1 is the NIC connected to your cable modem and >> you want >> > to get DHCP info from your ISP. Dc0 is the NIC connected to >> your LAN. >> > >> > From >> > ifconfig_dc1="DHCP" >> > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" >> > >> > to >> > ifconfig_dc0="DHCP" >> > ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0" >> > >> > >> > You do not say how your LAN PCs get their ip address. >> > You can hard code them on each LAN PC >> > or you have to run isc-dhcp-server on your Gateway box to >> auto assign >> > ip address to LAN PCs. >> > >> > >> > >> > >> > >> > >> > >> > -----Original Message----- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] Behalf Of James A. >> > Coulter >> > Sent: Friday, July 30, 2004 10:56 AM >> > To: [EMAIL PROTECTED] >> > Subject: Firewall Rule Set not allowing access to DNS servers? >> > >> > I am using FreeBSD 4.10 as a gateway/router for a small >> home LAN. My >> > outside interface (dc1) is connected to a cable modem and is >> > configured for DHCP. >> > >> > I have compiled and installed a custome kernel with IPFIREWALL and >> > IPDIVERT options and with a rule set allowing any to any with no >> > problems >> > >> > I am in the process of adding a proper rule set to provide >> security. I >> > was referred to >> http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and >> > installed the Stateful + NATD Rule Set modified for my >> > outside interface, domain name servers, and DHCP server. >> > >> > I can ping IP addresses and pass SMTP mail back and forth from the >> > gateway/router and all machines on the LAN, but I cannot >> ping URLs - I >> > am getting "ping: cannot resolve >> > www.freebsd.org: Host name lookup failure" errors. >> > >> > >> > This is what ipfw -a list looks like: >> > >> > sara# ipfw -a list >> > 00005 0 0 allow ip from any to any via xl0 >> > 00010 52 3640 allow ip from any to any via lo0 >> > 00014 0 0 divert 8668 ip from any to any in recv dc1 >> > 00015 0 0 check-state >> > 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 >> > keep-state out >> > xmit dc1 setup >> > 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 >> keep-state >> > out xmit >> > dc1 setup >> > 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 >> keep-state >> > out >> > xmit dc1 setup >> > 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 >> > keep-state out >> > xmit dc1 >> > 00040 0 0 skipto 800 tcp from any to any 80 keep-state out >> > xmit dc1 >> > setup >> > 00050 0 0 skipto 800 tcp from any to any 443 keep-state out >> > xmit dc1 >> > setup >> > 00060 0 0 skipto 800 tcp from any to any 25 keep-state out >> > xmit dc1 >> > setup >> > 00061 0 0 skipto 800 tcp from any to any 110 keep-state out >> > xmit dc1 >> > setup >> > 00070 0 0 skipto 800 tcp from me to any uid root keep-state >> > out xmit >> > dc1 setup >> > 00080 0 0 skipto 800 icmp from any to any keep-state out >> xmit >> > dc1 >> > 00090 0 0 skipto 800 tcp from any to any 37 keep-state out >> > xmit dc1 >> > setup >> > 00100 0 0 skipto 800 tcp from any to any 119 keep-state out >> > xmit dc1 >> > setup >> > 00110 0 0 skipto 800 tcp from any to any 22 keep-state out >> > xmit dc1 >> > setup >> > 00120 0 0 skipto 800 tcp from any to any 43 keep-state out >> > xmit dc1 >> > setup >> > 00130 0 0 skipto 800 udp from any to any 123 keep-state out >> > xmit dc1 >> > 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1 >> > 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1 >> > 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1 >> > 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1 >> > 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1 >> > 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1 >> > 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1 >> > 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1 >> > 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1 >> > 00315 0 0 deny tcp from any to any 113 in recv dc1 >> > 00320 0 0 deny tcp from any to any 137 in recv dc1 >> > 00321 0 0 deny tcp from any to any 138 in recv dc1 >> > 00322 0 0 deny tcp from any to any 139 in recv dc1 >> > 00323 0 0 deny tcp from any to any 81 in recv dc1 >> > 00330 0 0 deny ip from any to any in recv dc1 frag >> > 00332 0 0 deny tcp from any to any in recv dc1 established >> > 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state >> in >> > recv dc1 >> > 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in >> recv >> > dc1 >> > setup >> > 00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in >> > recv dc1 >> > setup >> > 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in >> recv >> > dc1 >> > setup >> > 00400 0 0 deny log logamount 10 ip from any to any in recv >> dc1 >> > 00450 81 5288 deny log logamount 10 ip from any to any out xmit >> dc1 >> > 00800 0 0 divert 8668 ip from any to any out xmit dc1 >> > 00801 645 59255 allow ip from any to any >> > 00999 0 0 deny log logamount 10 ip from any to any >> > 65535 1 347 deny ip from any to any >> > This is what my /etc/rc.conf looks like: >> > >> > hostname="sara.mshome.net" >> > ifconfig_dc1="DHCP" >> > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" >> > firewall_enable="YES" firewall_script="/etc/ipfw.rules" >> > firewall_logging="YES" kern_securelevel_enable="NO" >> linux_enable="YES" >> > moused_enable="YES" named_enable="YES" nfs_client_enable="YES" >> > nfs_reserved_port_only="YES" nfs_server_enable="YES" >> > sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" >> > ntpd_enable="YES" inetd_enable="YES" gateway_enable="YES" >> > natd_enable="YES" natd_interface="dc1" natd_flags="-dynamic" >> > >> > Finally, this is what /etc/resolv.conf looks like: >> > >> > sara# more /etc/resolv.conf >> > search pn.at.cox.net >> > nameserver 68.105.161.20 >> > nameserver 68.1.18.25 >> > nameserver 68.10.16.30 >> > >> > Any ideas? >> > >> > Thanks, >> > >> > Jim C. >> > >> > _______________________________________________ >> > [EMAIL PROTECTED] mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to >> > "[EMAIL PROTECTED]" >> > >> > _______________________________________________ >> > [EMAIL PROTECTED] mailing list >> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > To unsubscribe, send any mail to >> > "[EMAIL PROTECTED]" >> > >> >> _______________________________________________ >> [EMAIL PROTECTED] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "[EMAIL PROTECTED]" >> >> > > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
