From owner-freebsd-questions@FreeBSD.ORG Wed Sep 20 10:12:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72D7316A47E for ; Wed, 20 Sep 2006 10:12:40 +0000 (UTC) (envelope-from nick@nickwithers.com) Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B8CF43D6B for ; Wed, 20 Sep 2006 10:12:31 +0000 (GMT) (envelope-from nick@nickwithers.com) Received: from localhost (shmick.shmon.net [10.0.0.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nickwithers.com (Postfix) with ESMTP id B0CDE3A146; Wed, 20 Sep 2006 20:12:18 +1000 (EST) Date: Wed, 20 Sep 2006 20:12:18 +1000 From: Nick Withers To: Vittorio Message-Id: <20060920201218.65c87ea4.nick@nickwithers.com> In-Reply-To: <10dcab18e3b.vdemart1@tin.it> References: <10dcab18e3b.vdemart1@tin.it> Organization: nickwithers.com X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.10.3; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-nickwithers-MailScanner: Found to be clean X-nickwithers-MailScanner-From: nick@nickwithers.com Cc: freebsd-questions@freebsd.org Subject: Re: IPFW doesn't resolve host names X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 10:12:40 -0000 On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) Vittorio wrote: > Dear friends, > I have a pentium 4 freebsd 6.1 server connected to my > office win-xp lan. The server smoothly runs sshd, postgresql, samba (to > connect some /home share and the office win filesystem), vncserver. > Recently I added the following IPFW firewall (I'm an absolute beginner > with it) which works ** almost correctly **. > In fact, I can connect via > ssh (putty under winxp), the pg database works, vncserver too, while > samba connects to its local windows share but it's unable to connect > to the lan filesystem because it is no longer possible to resolve the > host names. if I ping a host the answer is invariably > > ping: cannot > resolve matteo: Host name lookup failure > > even though I defined "allow" > rules for port 53. You have not, however, allowed replies from your DNS server (s)... > Could you please help me? > ############### start of > example ipfw rules script ############# > ipfw -q -f flush # Delete > all rules > # Set defaults > oif="fxp0" # out interface > # Set > defaults > gw="10.155.102.6" > cmd="ipfw -q add " # build rule prefix > ks="keep-state" # just too lazy to key this each time > $cmd 00500 > check-state > $cmd 00502 deny all from any to any frag > $cmd 00501 deny > tcp from any to any established > $cmd 00503 allow all from any to any > via lo0 > $cmd 00505 deny all from any to 127.0.0.0/8 > $cmd 00508 deny ip > from 127.0.0.0/8 to any > $cmd 00600 allow tcp from any to me dst-port > 22, 80 via $oif setup $ks > $cmd 00601 allow tcp from any to me dst-port > 81,137,138,139,445 via $oif setup $ks > $cmd 00602 allow tcp from any to > me dst-port 5432, 5900-5909 via $oif setup $ks > $cmd 00604 allow udp > from any to me dst-port 81,137,138,139,445 via $oif setup $ks > $cmd > 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks > $cmd 00606 allow tcp from any to $gw 1491 > $cmd 00607 allow tcp from $gw > 1491 to any > $cmd 00610 allow tcp from me to any 53 out via $oif Try replacing this with "$cmd 00610 allow tcp from me to any 53 out via $oif $ks". > $cmd > 00611 allow tcp from any 50 to me in via $oif > $cmd 00612 allow udp from > me to any 53 out via $oif > $cmd 00613 allow udp from any 50 to me in via > $oif > $cmd 00700 allow icmp from any to any via $oif > ################### > End of example ipfw rules script ############ -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446