Date: Fri, 28 Jun 1996 00:02:33 -0600 (MDT) From: Nate Williams <nate@mt.sri.com> To: Poul-Henning Kamp <phk@freebsd.org> Cc: Nate Williams <nate@mt.sri.com>, current@freebsd.org Subject: Re: IPFW bugs? Message-ID: <199606280602.AAA13869@rocky.mt.sri.com> In-Reply-To: <2910.835941172@critter.tfs.com> References: <199606280537.XAA13666@rocky.mt.sri.com> <2910.835941172@critter.tfs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Poul-Henning Kamp writes: > In message <199606280537.XAA13666@rocky.mt.sri.com>, Nate Williams writes: > > > >> DNS: port 123 is NTP, DNS is port 53 (duh! <:-) > > > >Yeah, and your point is? See the comments above the lines, it explains > >that 123 is NTP. The problem is that DNS/udp wasn't enabled, yet one I > >enabled NTP/all DNS worked, and when I disabled NTP/all DNS quit > >working. Why is that? > > Your email listed rules saying "123" in a context where you complain > about DNS. :-) Go re-read it. I'll repeat the two rules again out of my original email, for the seeing impaired. # Allow SSH/SMTP/DNS/POP3 connections to/from anywhere ipfw add 20 pass tcp from any to any 22,25,53,110 via $1 That's the DNS line: # Allow NTP stuff through ipfw add pass all from any 123 to any via $1 ipfw add pass all from any to any 123 via $1 And there's the NTP line. No confusion except in your reading of it. > >The pilot has a pretty good idea what he's doing. > didn't look like it :-) At least not for the DNS part :-) I think the err is in your reading. > >Given the following output. > > Remember that the default is "Allow nothing" > > You will probably want to have > > allow all from 127.0.0.1 to 127.0.0.1 via lo0 > > in there somewhere... (if your 123 was a typo, this could be why your > DNS fails.) Umm, that's irrelevant. My DNS server is remote, not local. I'm not trying to send anything out via lo0, so why bring this up? > It's certainly a bug that you have rules with the same number, that > looks VERY weird to me, also where was your 65535 block all rule ? I set them to be the same #. Should I not? > >I can telnet/login/ftp/etc.. *from* non-local machines to this box. Why > >is that? > > Add "log" to all rules and see which number lets you though. Ahh, I didn't realize you could 'log' accept rules. I'll do that. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606280602.AAA13869>