Date: Thu, 1 May 2003 16:05:32 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Joe Sotham <joe-dated-1052063962.072fd5@dubium.com> Cc: freebsd-questions@freebsd.org Subject: Re: modifying ipfw rules to accompany dnscache install Message-ID: <20030501130532.GB62775@gothmog.gr> In-Reply-To: <1868.192.168.0.1.1051459162.squirrel@sigfried> References: <1868.192.168.0.1.1051459162.squirrel@sigfried>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-04-27 08:59, Joe Sotham wrote: > My firewall starts with the everything denied principle. I was using > the following rules to allow udp packets to/fro my private netwo: > dns1 and dns2 are my service provider's nameserver ip addresses. > > <snip> > ${fwcmd} add 400 pass udp from any to ${dns1} 53 > ${fwcmd} add 400 pass udp from any to ${dns2} 53 > ${fwcmd} add 400 pass udp from ${dns1} 53 to any > ${fwcmd} add 400 pass udp from ${dns2} 53 to any > <snip> > > After installing dnscache I have had to open the ruleset up a little. > I am wondering if the following rule can be tightened up a little. > > ${fwcmd} add 400 pass udp from any to any 53 keep-state It should work fine... My local ipfw ruleset here used to include: # Allow DNS and NTP through. add allow udp from any to any 53,123 keep-state out I'm using ipfilter now, so I haven't run any recent tests with this ruleset, but the rule shown above used to work great. - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030501130532.GB62775>