From owner-freebsd-questions Sun Oct 27 11:22:11 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC52937B401 for ; Sun, 27 Oct 2002 11:22:07 -0800 (PST) Received: from nemesis.systems.pipex.net (nemesis.systems.pipex.net [62.241.160.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id E7F6A43E6E for ; Sun, 27 Oct 2002 11:22:06 -0800 (PST) (envelope-from stacey@Demon.vickiandstacey.com) Received: from Demon (81-86-129-77.dsl.pipex.com [81.86.129.77]) by nemesis.systems.pipex.net (Postfix) with ESMTP id 29E5716008119; Sun, 27 Oct 2002 19:22:03 +0000 (GMT) Subject: res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security] From: Stacey Roberts Reply-To: sroberts@dsl.pipex.com To: "D. Penev" Cc: sroberts@dsl.pipex.com, FreeBSD Questions In-Reply-To: <20021027180957.GB240@earth.dpsca.bg> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> <1035743359.65564.12.camel@Demon.vickiandstacey.com> <20021027180957.GB240@earth.dpsca.bg> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Cetqp5aX5fp2K23DNSAX" X-Mailer: Ximian Evolution 1.0.8 Date: 27 Oct 2002 19:22:05 +0000 Message-Id: <1035746529.65564.26.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-Cetqp5aX5fp2K23DNSAX Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, I've made the changes to rule 00618 as you've suggested, but now I get a different error: # dig .ns @a.root-servers.net ; <<>> DiG 8.3 <<>> .ns @a.root-servers.net=20 ; (1 server found) ;; res_nmkquery: buffer too small # dig .ns @b.root-servers.net ; <<>> DiG 8.3 <<>> .ns @b.root-servers.net=20 ; (1 server found) ;; res_nmkquery: buffer too small #=20 I'll not even pretend to know what that means..,=20 Thanks for the pointer to what I missed out in the rule. Stacey On Sun, 2002-10-27 at 18:09, D. Penev wrote: >=20 > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state=20 >=20 >=20 > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net=20 > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > >> >=20 > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state=20 > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >>=20 > >> This last rule is bogus. From ipfw(8): > >>=20 > >> setup Matches TCP packets that have the SYN bit set but no ACK = bit. > >> This is the short form of ``tcpflags syn,!ack''. > >>=20 > >> "setup" is not supposed to work for UDP packets. there is no handshake= as=20 > >> in tcp connections. > >>=20 > >>=20 > >> >=20 > >> > Checking ipfw rule 910: > >> > $fwcmd add 00910 deny log logamount 500 ip from any to any > >> >=20 > >> > Why am I not able to query root servers, given my rules 00618 & 0061= 9?=20 > >> >=20 > >> > I'd appreciate someone helping me out here., (or hitting me over the > >> > head if I'm missing something simple and glaringly obvious) > >> >=20 > >> > TIA=20 > >> >=20 > >> > Stacey > >> >=20 > >> >=20 > >> >=20 > >> > --=20 > >> > Stacey Roberts > >> > B.Sc (HONS) Computer Science > >> >=20 > >> > Web: www.vickiandstacey.com > >> >=20 > >>=20 > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-questions" in the body of the message > >--=20 > >Stacey Roberts > >B.Sc (HONS) Computer Science > > > >Web: www.vickiandstacey.com > > >=20 >=20 >=20 > --=20 > Regards, > D. Penev >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message --=20 Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com --=-Cetqp5aX5fp2K23DNSAX Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQEVAwUAPbw825vQeubckvvXAQHC5gf/TTRXY9Z+hlguIUiDMg98K7H8A0HDkG40 Z/yuCFBmOYu+F8TqScpoHa1lV8ymMqcZKOZ6TZz1zMY5EO8QAaCdd49JSwijGW6Y bMIHqJ0J6zxMRA+9Q2lk31C5WZ7dTFx3rX8lpmTMApWXyVFNg5ITcct3Fh28/hi7 XILXUljpZPfk2pyBQmGrLZ+UKZ42BbTag/NL141pVuTJ5NrEaIlUYWLUAxcmvRcK PR4O/6X9UfArcJvelDejEGAMOPijgMYg66cUw0qp+5XhoKJn4HkUfW08gK9d7ECV ZYuMARFbgVLZwLBKZm3xemMDz6vDeDEpRwYnpDZFSYvToq4CbfVBZQ== =SSsZ -----END PGP SIGNATURE----- --=-Cetqp5aX5fp2K23DNSAX-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message