From owner-freebsd-net@FreeBSD.ORG Tue Jul 13 16:29:10 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9A4C16A4CE for ; Tue, 13 Jul 2004 16:29:10 +0000 (GMT) Received: from hanoi.cronyx.ru (hanoi.cronyx.ru [144.206.181.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id E093043D1D for ; Tue, 13 Jul 2004 16:29:09 +0000 (GMT) (envelope-from rik@cronyx.ru) Received: (from root@localhost) by hanoi.cronyx.ru id i6DGQ6gW055138 for net@freebsd.org.checked; (8.12.8/vak/2.1) Tue, 13 Jul 2004 20:26:06 +0400 (MSD) (envelope-from rik@cronyx.ru) Received: from cronyx.ru (hi.cronyx.ru [144.206.181.94]) by hanoi.cronyx.ru with ESMTP id i6DGNjSt055037; (8.12.8/vak/2.1) Tue, 13 Jul 2004 20:23:46 +0400 (MSD) (envelope-from rik@cronyx.ru) Message-ID: <40F40C8E.8000904@cronyx.ru> Date: Tue, 13 Jul 2004 20:23:42 +0400 From: Roman Kurakin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031208 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mikhail Teterin , barney@databus.com References: <200407131155.36985@misha-mx.virtual-estates.net> <20040713160721.GA64946@pit.databus.com> In-Reply-To: <20040713160721.GA64946@pit.databus.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: questions@freebsd.org cc: net@freebsd.org Subject: Re: allowing LAN the direct access to outside DNS with ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2004 16:29:10 -0000 Barney Wolff wrote: >On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote: > > >>I'm using the `simple' template in /etc/rc.firewall to allow LAN to access >>the Internet from behind the firewall (FreeBSD-stable). >> >>There is a rule there: >> # Allow DNS queries out in the world >> ${fwcmd} add pass udp from any to any 53 keep-state >> >> Probably this should be a bit safer: ${fwcmd} add pass udp from ${inet} to any 53 keep-state out via de0 >>and, indeed, the firewall machine itself has no problems accessing the outside >>name servers. >> >>However, when the LAN-machine(s) try it, the queries time out, while the >>firewall machine logs the following: >> >> ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0 >> >> All routers/servers from Internet does not work with 192.168 like networks since any body can use such addresses, so this could be you problem. >>All HOWTOs out there imply running a local nameserver on the firewall >>machine. Is there a way to go without that, but also without opening the >>firewall up to _all_ UDP packets, which happen to originate from port >>53? >> >>What's the meaning of the "keep-state" clause in the rule above? I >>thought, it "magically" allows DNS-responses to come back only, but that >>does not work... >> >> > >Do ipfw show and see if the keep-state rule is ever triggering - perhaps >some rule before it is already allowing the outgoing packets. > > As I understand this, keep-state wouldn't allow any connection to you from port 53, till you send any UDP packet to that machine for port 53. rik