Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Oct 2002 17:06:33 +0100
From:      Ruben de Groot <fbsd-q@bzerk.org>
To:        sroberts@dsl.pipex.com
Cc:        FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject:   Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
Message-ID:  <20021027160633.GA12903@ei.bzerk.org>
In-Reply-To: <1035732248.394.22.camel@Demon.vickiandstacey.com>
References:  <1035732248.394.22.camel@Demon.vickiandstacey.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Oct 27, 2002 at 03:24:07PM +0000, Stacey Roberts typed:
> Hello,
>      I don't know if this is related to post earlier today [FBSD 4.7
> reset itself - lots of "DENY UDP" messages in /var/log/security], but
> I've been trying to trouble shoot the "DENY" messages in
> /var/log/security using dig:
> 
> # dig . ns @b.root-servers.net
> 
> ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; res_nsend to server b.root-servers.net  128.9.0.107: Connection
> refused
> # 
> I get connection refused for this. Checking security:
> Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP <snip>:1381
> 128.9.0.107:53 out via sis0
> Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1<snip>:1382
> 128.9.0.107:53 out via sis0
> # 
> 
> Verifying relevant ipfw rules:
> # Allow out access to Internet Domain name server
> $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> keep-state 
> $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> keep-state

This last rule is bogus. From ipfw(8):

     setup   Matches TCP packets that have the SYN bit set but no ACK bit.
             This is the short form of ``tcpflags syn,!ack''.

"setup" is not supposed to work for UDP packets. there is no handshake as 
in tcp connections.


> 
> Checking ipfw rule 910:
> $fwcmd add 00910 deny log logamount 500 ip from any to any
> 
> Why am I not able to query root servers, given my rules 00618 & 00619? 
> 
> I'd appreciate someone helping me out here., (or hitting me over the
> head if I'm missing something simple and glaringly obvious)
> 
> TIA 
> 
> Stacey
> 
> 
> 
> -- 
> Stacey Roberts
> B.Sc (HONS) Computer Science
> 
> Web: www.vickiandstacey.com
> 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021027160633.GA12903>