From owner-freebsd-net@FreeBSD.ORG  Tue Jul 13 15:55:48 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DD84516A4CE; Tue, 13 Jul 2004 15:55:48 +0000 (GMT)
Received: from corbulon.video-collage.com (corbulon.video-collage.com
	[64.35.99.179])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 514F143D58; Tue, 13 Jul 2004 15:55:48 +0000 (GMT)
	(envelope-from mi+mx@aldan.algebra.com)
Received: from 250-217.customer.cloud9.net (195-11.customer.cloud9.net
	[168.100.195.11])i6DFtk79001655
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 13 Jul 2004 11:55:47 -0400 (EDT)
	(envelope-from mi+mx@aldan.algebra.com)
Received: from localhost (mteterin@localhost [127.0.0.1])
	i6DFtb5O015148;	Tue, 13 Jul 2004 11:55:37 -0400 (EDT)
	(envelope-from mi+mx@aldan.algebra.com)
From: Mikhail Teterin <mi+mx@aldan.algebra.com>
Organization: Virtual Estates, Inc.
To: questions@FreeBSD.org
Date: Tue, 13 Jul 2004 11:55:36 -0400
User-Agent: KMail/1.6.2
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <200407131155.36985@misha-mx.virtual-estates.net>
X-Virus-Scanned: clamd / ClamAV version devel-20040615, clamav-milter version
	0.73a	on corbulon.video-collage.com
X-Virus-Status: Clean
X-Scanned-By: MIMEDefang 2.43
cc: net@FreeBSD.org
Subject: allowing LAN the direct access to outside DNS with ipfw
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2004 15:55:49 -0000

Hello!

I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
the Internet from behind the firewall (FreeBSD-stable).

There is a rule there:
	# Allow DNS queries out in the world
        ${fwcmd} add pass udp from any to any 53 keep-state

and, indeed, the firewall machine itself has no problems accessing the outside
name servers.

However, when the LAN-machine(s) try it, the queries time out, while the
firewall machine logs the following:

	ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0

All HOWTOs out there imply running a local nameserver on the firewall
machine. Is there a way to go without that, but also without opening the
firewall up to _all_ UDP packets, which happen to originate from port
53?

What's the meaning of the "keep-state" clause in the rule above? I
thought, it "magically" allows DNS-responses to come back only, but that
does not work...

Thank you!

	-mi