Date: Thu, 1 May 2003 16:05:32 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Joe Sotham <joe-dated-1052063962.072fd5@dubium.com> Cc: freebsd-questions@freebsd.org Subject: Re: modifying ipfw rules to accompany dnscache install Message-ID: <20030501130532.GB62775@gothmog.gr> In-Reply-To: <1868.192.168.0.1.1051459162.squirrel@sigfried> References: <1868.192.168.0.1.1051459162.squirrel@sigfried>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-04-27 08:59, Joe Sotham wrote:
> My firewall starts with the everything denied principle. I was using
> the following rules to allow udp packets to/fro my private netwo:
> dns1 and dns2 are my service provider's nameserver ip addresses.
>
> <snip>
> ${fwcmd} add 400 pass udp from any to ${dns1} 53
> ${fwcmd} add 400 pass udp from any to ${dns2} 53
> ${fwcmd} add 400 pass udp from ${dns1} 53 to any
> ${fwcmd} add 400 pass udp from ${dns2} 53 to any
> <snip>
>
> After installing dnscache I have had to open the ruleset up a little.
> I am wondering if the following rule can be tightened up a little.
>
> ${fwcmd} add 400 pass udp from any to any 53 keep-state
It should work fine... My local ipfw ruleset here used to include:
# Allow DNS and NTP through.
add allow udp from any to any 53,123 keep-state out
I'm using ipfilter now, so I haven't run any recent tests with this
ruleset, but the rule shown above used to work great.
- Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030501130532.GB62775>