Date: Thu, 3 Feb 2005 05:30:13 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Graham Dresch <gdresch@spcint.com> Cc: freebsd-doc@freebsd.org Subject: Re: Error in Handbook Message-ID: <20050203033013.GA3211@gothmog.gr> In-Reply-To: <Pine.BSF.4.58.0502021403320.66014@dragon.spcplus.com> References: <Pine.BSF.4.58.0502021403320.66014@dragon.spcplus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-02-02 14:11, Graham Dresch <gdresch@spcint.com> wrote: > > In Chapter 24 Firewalls: > Section 24.6.5.7: > Example ruleset #2: > > $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state > ^^^ ^^^^^ > > DNS uses UDP, setup is inapplicable to UDP Actually, DNS uses both UDP and TCP. The size of a DNS UDP packet has an upper limit. If the data that needs to be transferred exceeds that limit, TCP is used. > The line should read: > > $cmd 020 $skip udp from any to x.x.x.x 53 out via $pif keep-state It should probably remain as it is, and a TCP-specific line should be added. Ruleset #2 is supposed to be identical to ruleset #1, which includes these rules: $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050203033013.GA3211>