From owner-freebsd-isp Thu Dec 20 12:46:24 2001 Delivered-To: freebsd-isp@freebsd.org Received: from c003.snv.cp.net (c003-h004.c003.snv.cp.net [209.228.32.218]) by hub.freebsd.org (Postfix) with SMTP id EF18D37B417 for ; Thu, 20 Dec 2001 12:46:11 -0800 (PST) Received: (cpmta 3174 invoked from network); 20 Dec 2001 12:46:09 -0800 Received: from 216.227.100.85 (HELO vector) by smtp.telocity.com (209.228.32.218) with SMTP; 20 Dec 2001 12:46:09 -0800 X-Sent: 20 Dec 2001 20:46:09 GMT From: "Dustin Puryear" To: Subject: FreeBSD firewall and DNS Date: Thu, 20 Dec 2001 14:54:28 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: <003101c1890c$370d5cc0$22b197ce@ezo.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am having problems configuring a FreeBSD 4.4-RELEASE firewall to allow a DNS server to work. When I say "work" I mean it is unable to resolve names. Instead, it just times out. Please note that we are using static NAT. Also, the DNS server is NOT located on the firewall. (On a related note, if I run a DNS server on the firewall it works.) The DNS server does have a public IP address via the static NAT mapping, but I would think it should work regardless. At least, for resolving names. Okay, so I have a firewall at 10.0.0.1 private a.b.c.d public. Via NAT the DNS server, which will be for public use, has a private address of 10.0.0.5 and w.x.y.z public. If I install the DNS server on the firewall and use the rules: 01500 divert 8668 ip from any to any via rl0 ... 02600 allow udp from a.b.c.d to any 53 keep-state 02700 allow tcp from a.b.c.d to any 53 keep-state The DNS server on the firewall works and can resolve names for me. However, if I put the DNS server on another internal machine and use the rules: 01500 divert 8668 ip from any to any via rl0 ... 02800 allow udp from w.x.y.z to any 53 keep-state 02900 allow tcp from w.x.y.z to any 53 keep-state The internal server times out. Okay, so I am thinking that perhaps since the divert rule comes first I should be using the internal address: 01500 divert 8668 ip from any to any via rl0 ... 02800 allow udp from 10.0.0.5 to any 53 keep-state 02900 allow tcp from 10.0.0.5 to any 53 keep-state Unfortunately, I get the same result. The DNS server cannot resolve the name and nslookup eventually times out. Now, I can make it work by adding the rule: 03640 allow udp from any to 10.0.0.5 But why is this necessary? Assuming my DNS server does not need to be accessible to external users I should just need to allow the server to hit remote DNS server's and to expect replies via the keep-state. Am I missing something here? BTW, I am including my full ruleset below just in case. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow ip from any to any via nge0 00500 deny ip from 10.0.0.0/24 to any in recv rl0 00600 deny ip from a.b.c.0/26 to any in recv nge0 00700 deny ip from any to 10.0.0.0/8 via rl0 00800 deny ip from any to 172.16.0.0/12 via rl0 00900 deny ip from any to 192.168.0.0/16 via rl0 01000 deny ip from any to 0.0.0.0/8 via rl0 01100 deny ip from any to 169.254.0.0/16 via rl0 01200 deny ip from any to 192.0.2.0/24 via rl0 01300 deny ip from any to 224.0.0.0/4 via rl0 01400 deny ip from any to 240.0.0.0/4 via rl0 01500 divert 8668 ip from any to any via rl0 01600 deny ip from 10.0.0.0/8 to any via rl0 01700 deny ip from 172.16.0.0/12 to any via rl0 01800 deny ip from 192.168.0.0/16 to any via rl0 01900 deny ip from 0.0.0.0/8 to any via rl0 02000 deny ip from 169.254.0.0/16 to any via rl0 02100 deny ip from 192.0.2.0/24 to any via rl0 02200 deny ip from 224.0.0.0/4 to any via rl0 02300 deny ip from 240.0.0.0/4 to any via rl0 02400 allow tcp from any to any established 02500 allow ip from any to any frag 02600 allow udp from a.b.c.d to any 53 keep-state # for DNS on firewall 02700 allow tcp from a.b.c.d to any 53 keep-state # "" 02800 allow udp from w.x.y.z to any 53 keep-state # for DNS on another box 02900 allow tcp from w.x.y.z to any 53 keep-state # "" 03000 allow tcp from any to 10.0.0.5 25 setup 03100 allow tcp from any to 10.0.0.20 80 via rl0 setup # web 03200 allow tcp from any to 10.0.0.21 80 via rl0 setup # web 03300 allow tcp from any to any 22 setup 03400 allow icmp from any to any keep-state 03500 allow tcp from any to any setup 03640 allow udp from any to 10.0.0.5 # crappy fix to allow DNS to work 03900 deny log logamount 10 tcp from any to any in recv rl0 setup 65535 deny ip from any to any Regards, Dustin --- Dustin Puryear Information Systems Consultant http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message