From owner-freebsd-current  Thu Jun 27 23:02:40 1996
Return-Path: owner-current
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA10236
          for current-outgoing; Thu, 27 Jun 1996 23:02:40 -0700 (PDT)
Received: from rocky.mt.sri.com (rocky.sri.MT.net [204.182.243.10])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA10228;
          Thu, 27 Jun 1996 23:02:36 -0700 (PDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id AAA13869; Fri, 28 Jun 1996 00:02:33 -0600 (MDT)
Date: Fri, 28 Jun 1996 00:02:33 -0600 (MDT)
Message-Id: <199606280602.AAA13869@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
To: Poul-Henning Kamp <phk@freebsd.org>
Cc: Nate Williams <nate@mt.sri.com>, current@freebsd.org
Subject: Re: IPFW bugs? 
In-Reply-To: <2910.835941172@critter.tfs.com>
References: <199606280537.XAA13666@rocky.mt.sri.com>
	<2910.835941172@critter.tfs.com>
Sender: owner-current@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Poul-Henning Kamp writes:
> In message <199606280537.XAA13666@rocky.mt.sri.com>, Nate Williams writes:
> >
> >> DNS:  port 123 is NTP, DNS is port 53  (duh!  <:-)
> >
> >Yeah, and your point is?  See the comments above the lines, it explains
> >that 123 is NTP.  The problem is that DNS/udp wasn't enabled, yet one I
> >enabled NTP/all DNS worked, and when I disabled NTP/all DNS quit
> >working.  Why is that?
> 
> Your email listed rules saying "123" in a context where you complain
> about DNS.  :-)

Go re-read it.

I'll repeat the two rules again out of my original email, for the seeing
impaired.

# Allow SSH/SMTP/DNS/POP3 connections to/from anywhere
ipfw add  20 pass tcp from any to any 22,25,53,110 via $1

That's the DNS line:

# Allow NTP stuff through
ipfw add pass all from any 123 to any via $1
ipfw add pass all from any to any 123 via $1

And there's the NTP line.  No confusion except in your reading of it.

> >The pilot has a pretty good idea what he's doing.
> didn't look like it :-)  At least not for the DNS part :-)

I think the err is in your reading.

> >Given the following output.
> 
> Remember that the default is "Allow nothing"
> 
> You will probably want to have
> 
> 	allow all from 127.0.0.1 to 127.0.0.1 via lo0
> 
> in there somewhere...  (if your 123 was a typo, this could be why your
> DNS fails.)

Umm, that's irrelevant.  My DNS server is remote, not local.  I'm not
trying to send anything out via lo0, so why bring this up?

> It's certainly a bug that you have rules with the same number, that
> looks VERY weird to me, also where was your 65535 block all rule ?

I set them to be the same #.  Should I not?

> >I can telnet/login/ftp/etc.. *from* non-local machines to this box.  Why
> >is that?
> 
> Add "log" to all rules and see which number lets you though.

Ahh, I didn't realize you could 'log' accept rules.  I'll do that.




Nate