Date: Tue, 9 Oct 2001 03:56:51 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw question - hostname/address spec? Message-ID: <20011009035651.N350@blossom.cjclark.org> In-Reply-To: <20011009005629.D589@acadia.ne.mediaone.net>; from leblanc%2Bfreebsd@smtp.ne.mediaone.net on Tue, Oct 09, 2001 at 12:56:30AM -0400 References: <20011004071834.A2458@acadia.ne.mediaone.net> <20011004135129.E297@blossom.cjclark.org> <20011009005629.D589@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 09, 2001 at 12:56:30AM -0400, Louis LeBlanc wrote:
> On 10/04/01 01:51 PM, Crist J. Clark sat at the `puter and typed:
> > So, if you type,
> >
> > % dig news.ne.mediaone.net
> >
> > Before you run the script, it works? Even if it does, there would not
> > happen to be an 'ipfw -f flush' rule at the top of your script? Are
> > the DNS port opened up in the script before these rules with
> > hostnames? Look up the names in the script right before the rules to
> > see if they work,
> >
> > host $NEWS_SERVER
> > ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \
> > via $EXT_INTERFACE out
> > ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \
> > via $EXT_INTERFACE in established
>
>
> Hey Christ. Sorry for asking for help then disappearing.
>
> I tried your suggestions, trying also to remove some of the more
> paranoid firewall rules. I also did an echo of the nameservers and
> IPADDR early on in the script. Unfortunately, I am unfamiliar enough
> with ipfw, that I can't tell which rule is killing me.
>
> Even if I simply change all name based rules to 'any', I have no
> connectivity whatsoever, even by direct ip. If you need, I can
> provide ipfw show output, but I suspect I am giving you more than
> enough as it is.
/etc/rc.firewall would be good.
[snip]
> # sh /etc/rc.firewall
> Starting firewalling...
> IPADDR: 65.96.185.189
> NAMESERVER_1: 24.218.0.229
> NAMESERVER_2: 24.218.0.228
> NAMESERVER_3: 24.128.1.81
DNS works fine here. I assume if we see rc.firewall, these are before
any 'ipfw -f flush?'
> 00100 allow ip from any to any in recv lo0
> 00200 allow ip from any to any out xmit lo0
> 00300 allow ip from 10.8.20.0/24 to any in recv fxp0
> 00400 allow ip from any to 10.8.20.0/24 out xmit fxp0
> 00500 allow ip from 209.192.210.0/24 to 65.96.185.189 in recv xl0
> 00600 allow ip from 209.58.140.0/24 to 65.96.185.189 in recv xl0
> 00700 divert 8668 ip from any to any via xl0
> 00800 deny log logamount 10 ip from 255.255.255.255 to any in recv xl0
> 00900 deny log logamount 10 ip from any to 0.0.0.0 in recv xl0
> 01000 deny log logamount 10 tcp from any to any 2049 in recv xl0 setup
> 01100 unreach host tcp from any to any 2049 out xmit xl0 setup
> 01200 deny log logamount 10 tcp from any to any 6000-6063 in recv xl0
> setup
> 01300 unreach host tcp from any to any 6000-6063 out xmit xl0 setup
> 01400 deny log logamount 10 tcp from any to any 1080 in recv xl0 setup
> 01500 unreach host tcp from any to any 1080 out xmit xl0 setup
> 01600 deny log logamount 10 udp from any to any 2049 in recv xl0
> 01700 deny log logamount 10 udp from any 32769-65535 to any
> 33434-33523 in recv xl0
> 01800 allow udp from 65.96.185.189 1024-65535 to 24.218.0.229 53 out
> xmit xl0
> 01900 allow udp from 24.218.0.229 53 to 65.96.185.189 1024-65535 in
> recv xl0
> 02000 allow tcp from 65.96.185.189 1024-65535 to 24.218.0.229 53 out
> xmit xl0
> 02100 allow tcp from 24.218.0.229 53 to 65.96.185.189 1024-65535 in
> recv xl0 established
> 02200 allow udp from 65.96.185.189 1024-65535 to 24.218.0.228 53 out
> xmit xl0
> 02300 allow udp from 24.218.0.228 53 to 65.96.185.189 1024-65535 in
> recv xl0
> 02400 allow tcp from 65.96.185.189 1024-65535 to 24.218.0.228 53 out
> xmit xl0
> 02500 allow tcp from 24.218.0.228 53 to 65.96.185.189 1024-65535 in
> recv xl0 established
> 02600 allow udp from 65.96.185.189 1024-65535 to 24.128.1.81 53 out
> xmit xl0
> 02700 allow udp from 24.128.1.81 53 to 65.96.185.189 1024-65535 in
> recv xl0
> 02800 allow tcp from 65.96.185.189 1024-65535 to 24.128.1.81 53 out
> xmit xl0
> 02900 allow tcp from 24.128.1.81 53 to 65.96.185.189 1024-65535 in
> recv xl0 established
> 03000 allow tcp from any 1024-65535 to 65.96.185.189 80 in recv xl0
> 03100 allow tcp from 65.96.185.189 80 to any 1024-65535 out xmit xl0
> established
> 03200 allow tcp from 65.96.185.189 1024-65535 to any 80 out xmit xl0
> 03300 allow tcp from any 80 to 65.96.185.189 1024-65535 in recv xl0
> established
> 03400 allow tcp from any 1024-65535 to 65.96.185.189 443 in recv xl0
> 03500 allow tcp from 65.96.185.189 443 to any 1024-65535 out xmit xl0
> established
> 03600 allow tcp from 65.96.185.189 1024-65535 to any 443 out xmit xl0
> 03700 allow tcp from any 443 to 65.96.185.189 1024-65535 in recv xl0
> established
> *** Can't find server name for address 24.218.0.229: Timed out
>
> That last is the lookup you suggested, and I can confirm that it is
> directly before the news.ne.mediaone.net rule. The DNS servers are
> opened up for port 53 above, though (or so I think). Is there
> something else that is killing the name lookups?
Eeewww... You used nslookup(8) to do the query. Never use
nslookup(8). nslookup(8) bad. nslookup(8) depricated. Use host(1).
If DNS works fine once the system is up, but doesn't work when running
the rc.firewall script, it sure sounds like you are killing your own
lookups due to the rule ordering.
--
Crist J. Clark cjclark@alum.mit.edu
cjclark@jhu.edu
cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011009035651.N350>