From owner-freebsd-ipfw@FreeBSD.ORG  Wed May 18 17:23:58 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E92A816A4CE
	for <freebsd-ipfw@freebsd.org>; Wed, 18 May 2005 17:23:58 +0000 (GMT)
Received: from mx.hostarica.com (www2.hostarica.com [196.40.45.74])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 57B1C43D7D
	for <freebsd-ipfw@freebsd.org>; Wed, 18 May 2005 17:23:58 +0000 (GMT)
	(envelope-from jose@hostarica.com)
Received: from localhost (localhost.hostarica.com [127.0.0.1])
	by mx.hostarica.com (Postfix) with ESMTP id B7C47F882;
	Wed, 18 May 2005 11:02:24 -0600 (CST)
Received: from jose (jose.hostarica.net [192.168.0.69])
	by mx.hostarica.com (Postfix) with ESMTP id 6817EF6A9;
	Wed, 18 May 2005 11:02:23 -0600 (CST)
From: Jose Hidalgo <jose@hostarica.com>
To: Stephane Raimbault <stephane@enertiasoft.com>
In-Reply-To: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com>
References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com>
Content-Type: text/plain
Organization: Corp. Hostarica S.A.
Date: Wed, 18 May 2005 11:03:04 -0600
Message-Id: <1116435784.34699.23.camel@jose>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.1.1 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd 0.1
cc: freebsd-ipfw@freebsd.org
Subject: Re: named error sending response: permision denied
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2005 17:23:59 -0000

On Wed, 2005-05-18 at 10:51 -0600, Stephane Raimbault wrote:

> I also noticed these errors in my ipfw.log file:
> 
> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
> 63.252.160.219:53 204.9.110.134:3371 in via vlan1
> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
> 63.252.160.219:53 204.9.110.134:1420 in via vlan1
> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
> 63.252.160.219:53 204.9.110.134:2961 in via vlan1
> May 18 06:40:03 enertia1 /kernel: ipfw: 65000 Deny UDP  
> 63.252.160.219:53 204.9.110.134:4701 in via vlan1


As you can see and according with the ACLs, you have
the problem when 204.9.110.134 is the client of 
the dns queries.

You may need to add

${fwcmd} add pass udp from ${ip2} to any 53 keep state

or you may want to reduce the number of rules with:

${fwcmd} add pass udp from any to any 53 keep state

-- 
Jose Hidalgo <jose@hostarica.com>
Corp. Hostarica S.A.