Date: Wed, 26 Dec 2001 17:47:09 -0800 (PST) From: X Philius <xphilius@yahoo.com> To: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>, security@freebsd.org Subject: Re: Help with ipfw rules to allow DNS queries through Message-ID: <20011227014709.9820.qmail@web11806.mail.yahoo.com> In-Reply-To: <5.1.0.14.0.20011226223958.01f4dd30@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
G.P.,
I am currently using an external DNS server via resolv.conf, you are
correct. I would think that the generic rule to allow all internally
established connections (both udp and tcp) to pass through would allow
this, even without any port specific rules. Is this not correct?
# Allow set up of outgoing UDP connections
${fwcmd} add pass udp from ${ip} to any setup
# Allow setup of outgoing TCP connections
${fwcmd} add pass tcp from ${ip} to any setup
I used to have named set up on my machine, before I upgraded to 4.4R,
and I plan to set it up again. However, before I upgraded I was using
this rule set, and it did not seem to allow me to access my machine as
a name server from another machine. I am not 100% sure that I tested it
properly though, so the general question is; should I be able to use
this ruleset if I want to use my machine as a names server, ie to be
accessed by an external client, and authoratative on a domain or
twelve? As someone else mentioned, this is pretty much verbatim from
the default rc.firewall.
# Allow DNS queries out and in
${fwcmd} add pass tcp from any to ${ip} 53 setup
${fwcmd} add pass udp from any to ${ip} 53
${fwcmd} add pass udp from ${ip} 53 to any
Thanks much for your reply! I can't wait to get this working.
Jason
--- "G.P. de Boer" <g.p.de.boer@st.hanze.nl> wrote:
> At 21:56 26-12-2001, you wrote something
>
> I was reading your mailing and the pasted rules below, and
> saw two things which might form the problem->solution.
>
> You were saying you're using /etc/resolv.conf for your own
> lookups. This means that your lookups are NOT from source
> port 53. This only applies when you use your own nameserver
> as resolver. So the rule pass udp from ${ip} 53 to any doesn't
> apply, since you're using sourceport >1024.
> I would use pass udp from ${ip} to any 53.
>
> Hope this helps,
> P. de Boer
>
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011227014709.9820.qmail>