From owner-freebsd-security Wed Dec 26 13:44: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id 48EF837B405 for ; Wed, 26 Dec 2001 13:44:00 -0800 (PST) Received: (from root@localhost) by thedarkside.nl (8.11.6/8.11.6) id fBQLhvb07480 for security@freebsd.org; Wed, 26 Dec 2001 22:43:57 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Received: from kilmarnock.st.hanze.nl (kilmarnock [10.0.0.2]) by thedarkside.nl (8.11.6/8.11.6av) with ESMTP id fBQLhrH07472 for ; Wed, 26 Dec 2001 22:43:53 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Message-Id: <5.1.0.14.0.20011226223958.01f4dd30@thedarkside.nl> X-Sender: 125105@pop5.st.hanze.nl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Dec 2001 22:43:50 +0100 To: security@freebsd.org From: "G.P. de Boer" Subject: Re: Help with ipfw rules to allow DNS queries through In-Reply-To: <20011226205648.87285.qmail@web11801.mail.yahoo.com> References: <00ea01c18e4b$19edf0c0$3028680a@tgt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 21:56 26-12-2001, you wrote something I was reading your mailing and the pasted rules below, and saw two things which might form the problem->solution. You were saying you're using /etc/resolv.conf for your own lookups. This means that your lookups are NOT from source port 53. This only applies when you use your own nameserver as resolver. So the rule pass udp from ${ip} 53 to any doesn't apply, since you're using sourceport >1024. I would use pass udp from ${ip} to any 53. Hope this helps, P. de Boer >Hmmm. However, I can access another DNS server as a >client with the default open rule set, but not with this set in place. >This makes me think that NAT is *not* the problem. I would also like to >get set up as a primary and/or secondary DNS server (going to set up a >swap with a friend, the usual low rent DNS set up ;-), so just >accessing an external name server as a client is not the ultimate goal. >I would also like to allow others to access my machine as a DNS server, >and to be authoratative on some domains. Any suggestions? > > # Allow access to our DNS > > ${fwcmd} add pass tcp from any to ${ip} 53 setup > > ${fwcmd} add pass udp from any to ${ip} 53 > > ${fwcmd} add pass udp from ${ip} 53 to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message