From owner-freebsd-questions Sun Oct 27 8: 5:46 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2D6937B401 for ; Sun, 27 Oct 2002 08:05:44 -0800 (PST) Received: from ei.bzerk.org (ei.xs4all.nl [213.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2900843E42 for ; Sun, 27 Oct 2002 08:05:39 -0800 (PST) (envelope-from fbsd-q@bzerk.org) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.12.6/8.12.6) with ESMTP id g9RG6Xsm013006; Sun, 27 Oct 2002 17:06:34 +0100 (CET) (envelope-from stable@ei.bzerk.org) Received: (from stable@localhost) by ei.bzerk.org (8.12.6/8.12.6/Submit) id g9RG6Xv2013005; Sun, 27 Oct 2002 17:06:33 +0100 (CET) Date: Sun, 27 Oct 2002 17:06:33 +0100 From: Ruben de Groot To: sroberts@dsl.pipex.com Cc: FreeBSD Questions Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security Message-ID: <20021027160633.GA12903@ei.bzerk.org> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1035732248.394.22.camel@Demon.vickiandstacey.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 27, 2002 at 03:24:07PM +0000, Stacey Roberts typed: > Hello, > I don't know if this is related to post earlier today [FBSD 4.7 > reset itself - lots of "DENY UDP" messages in /var/log/security], but > I've been trying to trouble shoot the "DENY" messages in > /var/log/security using dig: > > # dig . ns @b.root-servers.net > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > ; (1 server found) > ;; res options: init recurs defnam dnsrch > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > refused > # > I get connection refused for this. Checking security: > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 > 128.9.0.107:53 out via sis0 > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 > 128.9.0.107:53 out via sis0 > # > > Verifying relevant ipfw rules: > # Allow out access to Internet Domain name server > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > keep-state > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. "setup" is not supposed to work for UDP packets. there is no handshake as in tcp connections. > > Checking ipfw rule 910: > $fwcmd add 00910 deny log logamount 500 ip from any to any > > Why am I not able to query root servers, given my rules 00618 & 00619? > > I'd appreciate someone helping me out here., (or hitting me over the > head if I'm missing something simple and glaringly obvious) > > TIA > > Stacey > > > > -- > Stacey Roberts > B.Sc (HONS) Computer Science > > Web: www.vickiandstacey.com > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message