Date: Wed, 26 Dec 2001 22:43:50 +0100 From: "G.P. de Boer" <g.p.de.boer@st.hanze.nl> To: security@freebsd.org Subject: Re: Help with ipfw rules to allow DNS queries through Message-ID: <5.1.0.14.0.20011226223958.01f4dd30@thedarkside.nl> In-Reply-To: <20011226205648.87285.qmail@web11801.mail.yahoo.com> References: <00ea01c18e4b$19edf0c0$3028680a@tgt.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 21:56 26-12-2001, you wrote something
I was reading your mailing and the pasted rules below, and
saw two things which might form the problem->solution.
You were saying you're using /etc/resolv.conf for your own
lookups. This means that your lookups are NOT from source
port 53. This only applies when you use your own nameserver
as resolver. So the rule pass udp from ${ip} 53 to any doesn't
apply, since you're using sourceport >1024.
I would use pass udp from ${ip} to any 53.
Hope this helps,
P. de Boer
>Hmmm. However, I can access another DNS server as a
>client with the default open rule set, but not with this set in place.
>This makes me think that NAT is *not* the problem. I would also like to
>get set up as a primary and/or secondary DNS server (going to set up a
>swap with a friend, the usual low rent DNS set up ;-), so just
>accessing an external name server as a client is not the ultimate goal.
>I would also like to allow others to access my machine as a DNS server,
>and to be authoratative on some domains. Any suggestions?
<cut>
> > # Allow access to our DNS
> > ${fwcmd} add pass tcp from any to ${ip} 53 setup
> > ${fwcmd} add pass udp from any to ${ip} 53
> > ${fwcmd} add pass udp from ${ip} 53 to any
<cut>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011226223958.01f4dd30>