Date: Thu, 3 Feb 2005 05:30:13 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Graham Dresch <gdresch@spcint.com> Cc: freebsd-doc@freebsd.org Subject: Re: Error in Handbook Message-ID: <20050203033013.GA3211@gothmog.gr> In-Reply-To: <Pine.BSF.4.58.0502021403320.66014@dragon.spcplus.com> References: <Pine.BSF.4.58.0502021403320.66014@dragon.spcplus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-02-02 14:11, Graham Dresch <gdresch@spcint.com> wrote:
>
> In Chapter 24 Firewalls:
> Section 24.6.5.7:
> Example ruleset #2:
>
> $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
> ^^^ ^^^^^
>
> DNS uses UDP, setup is inapplicable to UDP
Actually, DNS uses both UDP and TCP. The size of a DNS UDP packet has
an upper limit. If the data that needs to be transferred exceeds that
limit, TCP is used.
> The line should read:
>
> $cmd 020 $skip udp from any to x.x.x.x 53 out via $pif keep-state
It should probably remain as it is, and a TCP-specific line should be
added. Ruleset #2 is supposed to be identical to ruleset #1, which
includes these rules:
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state
- Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203033013.GA3211>