Date: 27 Oct 2002 19:22:05 +0000 From: Stacey Roberts <stacey@Demon.vickiandstacey.com> To: "D. Penev" <dpenev@mail.bg> Cc: sroberts@dsl.pipex.com, FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security] Message-ID: <1035746529.65564.26.camel@Demon.vickiandstacey.com> In-Reply-To: <20021027180957.GB240@earth.dpsca.bg> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> <1035743359.65564.12.camel@Demon.vickiandstacey.com> <20021027180957.GB240@earth.dpsca.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-Cetqp5aX5fp2K23DNSAX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I've made the changes to rule 00618 as you've suggested, but now I get a different error: # dig .ns @a.root-servers.net ; <<>> DiG 8.3 <<>> .ns @a.root-servers.net=20 ; (1 server found) ;; res_nmkquery: buffer too small # dig .ns @b.root-servers.net ; <<>> DiG 8.3 <<>> .ns @b.root-servers.net=20 ; (1 server found) ;; res_nmkquery: buffer too small #=20 I'll not even pretend to know what that means..,=20 Thanks for the pointer to what I missed out in the rule. Stacey On Sun, 2002-10-27 at 18:09, D. Penev wrote: >=20 > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state=20 >=20 >=20 > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20 > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > ><snip> > >> >=20 > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state=20 > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >>=20 > >> This last rule is bogus. From ipfw(8): > >>=20 > >> setup Matches TCP packets that have the SYN bit set but no ACK = bit. > >> This is the short form of ``tcpflags syn,!ack''. > >>=20 > >> "setup" is not supposed to work for UDP packets. there is no handshake= as=20 > >> in tcp connections. > >>=20 > >>=20 > >> >=20 > >> > Checking ipfw rule 910: > >> > $fwcmd add 00910 deny log logamount 500 ip from any to any > >> >=20 > >> > Why am I not able to query root servers, given my rules 00618 & 0061= 9?=20 > >> >=20 > >> > I'd appreciate someone helping me out here., (or hitting me over the > >> > head if I'm missing something simple and glaringly obvious) > >> >=20 > >> > TIA=20 > >> >=20 > >> > Stacey > >> >=20 > >> >=20 > >> >=20 > >> > --=20 > >> > Stacey Roberts > >> > B.Sc (HONS) Computer Science > >> >=20 > >> > Web: www.vickiandstacey.com > >> >=20 > >>=20 > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-questions" in the body of the message > >--=20 > >Stacey Roberts > >B.Sc (HONS) Computer Science > > > >Web: www.vickiandstacey.com > > >=20 >=20 >=20 > --=20 > Regards, > D. Penev >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com --=-Cetqp5aX5fp2K23DNSAX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPbw825vQeubckvvXAQHC5gf/TTRXY9Z+hlguIUiDMg98K7H8A0HDkG40 Z/yuCFBmOYu+F8TqScpoHa1lV8ymMqcZKOZ6TZz1zMY5EO8QAaCdd49JSwijGW6Y bMIHqJ0J6zxMRA+9Q2lk31C5WZ7dTFx3rX8lpmTMApWXyVFNg5ITcct3Fh28/hi7 XILXUljpZPfk2pyBQmGrLZ+UKZ42BbTag/NL141pVuTJ5NrEaIlUYWLUAxcmvRcK PR4O/6X9UfArcJvelDejEGAMOPijgMYg66cUw0qp+5XhoKJn4HkUfW08gK9d7ECV ZYuMARFbgVLZwLBKZm3xemMDz6vDeDEpRwYnpDZFSYvToq4CbfVBZQ== =SSsZ -----END PGP SIGNATURE----- --=-Cetqp5aX5fp2K23DNSAX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1035746529.65564.26.camel>