From owner-freebsd-questions@FreeBSD.ORG Wed Sep 20 10:15:59 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60F1E16A415 for ; Wed, 20 Sep 2006 10:15:59 +0000 (UTC) (envelope-from nick@nickwithers.com) Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8393643D58 for ; Wed, 20 Sep 2006 10:15:58 +0000 (GMT) (envelope-from nick@nickwithers.com) Received: from localhost (shmick.shmon.net [10.0.0.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nickwithers.com (Postfix) with ESMTP id 8B1613AB1C; Wed, 20 Sep 2006 20:15:49 +1000 (EST) Date: Wed, 20 Sep 2006 20:15:49 +1000 From: Nick Withers To: Vittorio Message-Id: <20060920201549.0a67cf6c.nick@nickwithers.com> In-Reply-To: <20060920201218.65c87ea4.nick@nickwithers.com> References: <10dcab18e3b.vdemart1@tin.it> <20060920201218.65c87ea4.nick@nickwithers.com> Organization: nickwithers.com X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.10.3; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-nickwithers-MailScanner: Found to be clean X-nickwithers-MailScanner-From: nick@nickwithers.com Cc: freebsd-questions@freebsd.org Subject: Re: IPFW doesn't resolve host names X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Sep 2006 10:15:59 -0000 On Wed, 20 Sep 2006 20:12:18 +1000 Nick Withers wrote: > On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) > Vittorio wrote: > > > Dear friends, > > I have a pentium 4 freebsd 6.1 server connected to my > > office win-xp lan. The server smoothly runs sshd, postgresql, samba (to > > connect some /home share and the office win filesystem), vncserver. > > Recently I added the following IPFW firewall (I'm an absolute beginner > > with it) which works ** almost correctly **. > > In fact, I can connect via > > ssh (putty under winxp), the pg database works, vncserver too, while > > samba connects to its local windows share but it's unable to connect > > to the lan filesystem because it is no longer possible to resolve the > > host names. if I ping a host the answer is invariably > > > > ping: cannot > > resolve matteo: Host name lookup failure > > > > even though I defined "allow" > > rules for port 53. > > You have not, however, allowed replies from your DNS server > (s)... > > > Could you please help me? > > ############### start of > > example ipfw rules script ############# > > ipfw -q -f flush # Delete > > all rules > > # Set defaults > > oif="fxp0" # out interface > > # Set > > defaults > > gw="10.155.102.6" > > cmd="ipfw -q add " # build rule prefix > > ks="keep-state" # just too lazy to key this each time > > $cmd 00500 > > check-state > > $cmd 00502 deny all from any to any frag > > $cmd 00501 deny > > tcp from any to any established You may want to change the ordering of the rules above in the file so that it reads the way it'll be implemented by IPFW (I'm guessing this is an accident, anyway). > > $cmd 00503 allow all from any to any > > via lo0 > > $cmd 00505 deny all from any to 127.0.0.0/8 > > $cmd 00508 deny ip > > from 127.0.0.0/8 to any > > $cmd 00600 allow tcp from any to me dst-port > > 22, 80 via $oif setup $ks > > $cmd 00601 allow tcp from any to me dst-port > > 81,137,138,139,445 via $oif setup $ks > > $cmd 00602 allow tcp from any to > > me dst-port 5432, 5900-5909 via $oif setup $ks > > $cmd 00604 allow udp > > from any to me dst-port 81,137,138,139,445 via $oif setup $ks > > $cmd > > 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks > > $cmd 00606 allow tcp from any to $gw 1491 > > $cmd 00607 allow tcp from $gw > > 1491 to any > > $cmd 00610 allow tcp from me to any 53 out via $oif > > Try replacing this with "$cmd 00610 allow tcp from me to any 53 > out via $oif $ks". > > > $cmd > > 00611 allow tcp from any 50 to me in via $oif > > $cmd 00612 allow udp from > > me to any 53 out via $oif Sorry... and this with "$cmd 00612 allow udp from me to any 53 out via $oif $ks". > > $cmd 00613 allow udp from any 50 to me in via > > $oif > > $cmd 00700 allow icmp from any to any via $oif > > ################### > > End of example ipfw rules script ############ -- Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446