Date: Wed, 20 Sep 2006 20:12:18 +1000 From: Nick Withers <nick@nickwithers.com> To: Vittorio <vdemart1@tin.it> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW doesn't resolve host names Message-ID: <20060920201218.65c87ea4.nick@nickwithers.com> In-Reply-To: <10dcab18e3b.vdemart1@tin.it> References: <10dcab18e3b.vdemart1@tin.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) Vittorio <vdemart1@tin.it> wrote: > Dear friends, > I have a pentium 4 freebsd 6.1 server connected to my > office win-xp lan. The server smoothly runs sshd, postgresql, samba (to > connect some /home share and the office win filesystem), vncserver. > Recently I added the following IPFW firewall (I'm an absolute beginner > with it) which works ** almost correctly **. > In fact, I can connect via > ssh (putty under winxp), the pg database works, vncserver too, while > samba connects to its local windows share but it's unable to connect > to the lan filesystem because it is no longer possible to resolve the > host names. if I ping a host the answer is invariably > > ping: cannot > resolve matteo: Host name lookup failure > > even though I defined "allow" > rules for port 53. You have not, however, allowed replies from your DNS server (s)... > Could you please help me? > ############### start of > example ipfw rules script ############# > ipfw -q -f flush # Delete > all rules > # Set defaults > oif="fxp0" # out interface > # Set > defaults > gw="10.155.102.6" > cmd="ipfw -q add " # build rule prefix > ks="keep-state" # just too lazy to key this each time > $cmd 00500 > check-state > $cmd 00502 deny all from any to any frag > $cmd 00501 deny > tcp from any to any established > $cmd 00503 allow all from any to any > via lo0 > $cmd 00505 deny all from any to 127.0.0.0/8 > $cmd 00508 deny ip > from 127.0.0.0/8 to any > $cmd 00600 allow tcp from any to me dst-port > 22, 80 via $oif setup $ks > $cmd 00601 allow tcp from any to me dst-port > 81,137,138,139,445 via $oif setup $ks > $cmd 00602 allow tcp from any to > me dst-port 5432, 5900-5909 via $oif setup $ks > $cmd 00604 allow udp > from any to me dst-port 81,137,138,139,445 via $oif setup $ks > $cmd > 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks > $cmd 00606 allow tcp from any to $gw 1491 > $cmd 00607 allow tcp from $gw > 1491 to any > $cmd 00610 allow tcp from me to any 53 out via $oif Try replacing this with "$cmd 00610 allow tcp from me to any 53 out via $oif $ks". > $cmd > 00611 allow tcp from any 50 to me in via $oif > $cmd 00612 allow udp from > me to any 53 out via $oif > $cmd 00613 allow udp from any 50 to me in via > $oif > $cmd 00700 allow icmp from any to any via $oif > ################### > End of example ipfw rules script ############ -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060920201218.65c87ea4.nick>