From owner-freebsd-security Sun Nov 19 14:50:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 2FBE937B479 for ; Sun, 19 Nov 2000 14:50:46 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 19 Nov 2000 14:46:53 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAJMmI422933; Sun, 19 Nov 2000 14:48:18 -0800 (PST) (envelope-from cjc) Date: Sun, 19 Nov 2000 14:48:17 -0800 From: "Crist J . Clark" To: Sam Carleton Cc: "security@FreeBSD.ORG" Subject: Re: help setting up a filewall Message-ID: <20001119144817.A12190@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A16C44B.4DEC2492@bigfoot.com> <20001118155447.K9740@149.211.6.64.reflexcom.com> <3A1833F4.A2A25FBC@bigfoot.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A1833F4.A2A25FBC@bigfoot.com>; from scarleton@bigfoot.com on Sun, Nov 19, 2000 at 03:11:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 19, 2000 at 03:11:32PM -0500, Sam Carleton wrote: > "Crist J . Clark" wrote: [snip] > > > Attached you will find my modifications to the rc.firewall script and > > > relavent snips of rc.conf. If you have any thoughts on what I am doing > > > wrong, please drop me an email. Thanks! > > > > A few nitpicks about your ruleset, but nothing absolutely leaped out > > at me as a problem that would totally break everything. Since you did > > not tell us exactly what kind of problem you are having, it's hard to > > know what to look for. > > Well, the problem I am currently having is with DNS. The test enviornment that I have setup is such that > there is no DNS server behind the FreeBSD firewall. The machine inside the firewall is not able to get a > DNS request out. To make things more interesting, while booting the FreeBSD firewall, the rc.firewall > script ALWAYS hangs on the two DNS lines. > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from ${iif} to any 53 keep-state > ${fwcmd} add pass tcp from ${iif} to any 53 keep-state You are using interface names where you should be using a hostname or IP address. It is probably hanging trying to do the DNS lookup on the hostname 'xl1.' You want, ${fwcmd} add pass udp from ${inet}:${imask} to any 53 keep-state ${fwcmd} add pass tcp from ${inet}:${imask} to any 53 keep-state But this is not going to work unless you add a check-state rule. How about checking right where we do the stateless pass of "established" connections. [snip] > [Ss][Ii][Mm][Pp][Ll][Ee]) [snip] # Allow established, dynamic connections ${fwcmd} add check-state > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag [snip] -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message