From owner-freebsd-questions Mon Oct 21 18:17:23 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56E9637B401 for ; Mon, 21 Oct 2002 18:17:21 -0700 (PDT) Received: from gs166.sp.cs.cmu.edu (GS166.SP.CS.CMU.EDU [128.2.205.169]) by mx1.FreeBSD.org (Postfix) with SMTP id D62B743E75 for ; Mon, 21 Oct 2002 18:17:20 -0700 (PDT) (envelope-from dpelleg@gs166.sp.cs.cmu.edu) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15796.42740.862970.400286@gs166.sp.cs.cmu.edu> Date: Mon, 21 Oct 2002 21:16:36 -0400 To: freebsd-questions@freebsd.org, Redmond Militante Subject: RE: need help with ipfw rules X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > hi all > > my apologies, this could get long as i'm including the text of various > config files: > > i've been trying to learn ipfw. i've recompiled a kernel with the > following options > ipfw add allow ip from any to any Do you really want to allow everything in, or is this just a typo? If this rule is really in effect, the rest of the rules are not doing anything. > ipfw add allow ip from 127.0.0.1 to 127.0.0.1 vua lo0 I'm assuming "vua" is a typo - should be "via". > ipfw add allow udp from any to any 53 > ipfw add check-state You're not letting DNS replies to come back. You are allowing the queries to go *out*, but when the remote server's reply packets hit the firewall they have port 53 on the *source* address, not on the destination. So they don't match that rule anymore and are discarded. What you probably want instead is: ipfw add allow udp from any to any 53 keep-state Another point: you're not using the "divert" rule for natd, and I see you have NAT enabled in your rc.conf. This is likely to be a problem later (well, you'll just not have NAT). A very good resource for this is /etc/rc.firewall. Just try to follow what the "CLIENT", "SIMPLE" and "OPEN" targets do, or even let them run, then output the generated ruleset and use it as the skeleton of your own ruleset. Another useful debugging tool is "ipfw show" - typed repeatedly to watch which counters increased and so to know which rules were hit. Once you get into stateful filtering, you'll want "ipfw -d show". Having said that, good ol' tcpdump is always handy to have around. Just fire up "tcpdump -ni XXX" with XXX for your external interface and see what's going out and what's coming in. Once you start firewalling for a network, a "tcpdump -ni III" with III being the internal interface becomes useful as well, either in itself or in addition to the external-watching tcpdump. -- Dan Pelleg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message