From owner-freebsd-questions Sun Oct 27 11:10:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E896437B404 for ; Sun, 27 Oct 2002 11:10:44 -0800 (PST) Received: from mail.bg (dialup60.varna.spnet.net [213.169.38.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D41C43E4A for ; Sun, 27 Oct 2002 11:10:33 -0800 (PST) (envelope-from dpenev@mail.bg) Received: from mail.bg (localhost [127.0.0.1]) by mail.bg (8.12.5/8.12.5) with ESMTP id g9RIA0SI000390; Sun, 27 Oct 2002 20:10:00 +0200 (EET) (envelope-from dpenev@mail.bg) Received: (from root@localhost) by mail.bg (8.12.5/8.12.5/Submit) id g9RI9wMc000389; Sun, 27 Oct 2002 20:09:58 +0200 (EET) Date: Sun, 27 Oct 2002 20:09:57 +0200 From: "D. Penev" To: sroberts@dsl.pipex.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security Message-ID: <20021027180957.GB240@earth.dpsca.bg> Mail-Followup-To: sroberts@dsl.pipex.com, freebsd-questions@FreeBSD.ORG References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> <1035743359.65564.12.camel@Demon.vickiandstacey.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <1035743359.65564.12.camel@Demon.vickiandstacey.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote: >Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? > [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in > /var/log/security >From: Stacey Roberts >To: Ruben de Groot >Cc: sroberts@dsl.pipex.com, > FreeBSD Questions >Date: 27 Oct 2002 18:29:16 +0000 > >Okay, > I've been hacking about with my ipfw rules in order to nail this >down, but I'm still coming up against a wall here.., > >I've made this change: ># Allow out access to Internet Domain name server >$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup >keep-state >#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup >keep-state <==== >$fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > ^ > | > PUT THIS IN INSTEAD > >Now I try to query a root-server, I still get stopped by the firewall: ># date >Sun Oct 27 18:19:35 GMT 2002 ># dig . ns @b.root-servers.net > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net >; (1 server found) >;; res options: init recurs defnam dnsrch >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed >out > >Checking logs: ># tail /var/log/security > >Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 >192.168.1.8:1642 in via sis0 ># > >The previous posted (see below) informed me that using setup / >keep-state with udp is wrong. Given the changes I've made above, what >are the magic statements to allow my to query the root servers and allow >their responses back in? > >TIA >Stacey > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > >> > >> > Verifying relevant ipfw rules: >> > # Allow out access to Internet Domain name server >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup >> > keep-state >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup >> > keep-state >> >> This last rule is bogus. From ipfw(8): >> >> setup Matches TCP packets that have the SYN bit set but no ACK bit. >> This is the short form of ``tcpflags syn,!ack''. >> >> "setup" is not supposed to work for UDP packets. there is no handshake as >> in tcp connections. >> >> >> > >> > Checking ipfw rule 910: >> > $fwcmd add 00910 deny log logamount 500 ip from any to any >> > >> > Why am I not able to query root servers, given my rules 00618 & 00619? >> > >> > I'd appreciate someone helping me out here., (or hitting me over the >> > head if I'm missing something simple and glaringly obvious) >> > >> > TIA >> > >> > Stacey >> > >> > >> > >> > -- >> > Stacey Roberts >> > B.Sc (HONS) Computer Science >> > >> > Web: www.vickiandstacey.com >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >-- >Stacey Roberts >B.Sc (HONS) Computer Science > >Web: www.vickiandstacey.com > -- Regards, D. Penev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message