Date: Sun, 27 Oct 2002 20:09:57 +0200 From: "D. Penev" <dpenev@mail.bg> To: sroberts@dsl.pipex.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security Message-ID: <20021027180957.GB240@earth.dpsca.bg> In-Reply-To: <1035743359.65564.12.camel@Demon.vickiandstacey.com> References: <1035732248.394.22.camel@Demon.vickiandstacey.com> <20021027160633.GA12903@ei.bzerk.org> <1035743359.65564.12.camel@Demon.vickiandstacey.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote: >Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? > [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in > /var/log/security >From: Stacey Roberts <stacey@Demon.vickiandstacey.com> >To: Ruben de Groot <fbsd-q@bzerk.org> >Cc: sroberts@dsl.pipex.com, > FreeBSD Questions <freebsd-questions@FreeBSD.ORG> >Date: 27 Oct 2002 18:29:16 +0000 > >Okay, > I've been hacking about with my ipfw rules in order to nail this >down, but I'm still coming up against a wall here.., > >I've made this change: ># Allow out access to Internet Domain name server >$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup >keep-state >#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup >keep-state <==== <COMMENTED THIS OUT> >$fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > ^ > | > PUT THIS IN INSTEAD > >Now I try to query a root-server, I still get stopped by the firewall: ># date >Sun Oct 27 18:19:35 GMT 2002 ># dig . ns @b.root-servers.net > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net >; (1 server found) >;; res options: init recurs defnam dnsrch >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed >out > >Checking logs: ># tail /var/log/security ><snip> >Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 >192.168.1.8:1642 in via sis0 ># > >The previous posted (see below) informed me that using setup / >keep-state with udp is wrong. Given the changes I've made above, what >are the magic statements to allow my to query the root servers and allow >their responses back in? > >TIA >Stacey > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: ><snip> >> > >> > Verifying relevant ipfw rules: >> > # Allow out access to Internet Domain name server >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup >> > keep-state >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup >> > keep-state >> >> This last rule is bogus. From ipfw(8): >> >> setup Matches TCP packets that have the SYN bit set but no ACK bit. >> This is the short form of ``tcpflags syn,!ack''. >> >> "setup" is not supposed to work for UDP packets. there is no handshake as >> in tcp connections. >> >> >> > >> > Checking ipfw rule 910: >> > $fwcmd add 00910 deny log logamount 500 ip from any to any >> > >> > Why am I not able to query root servers, given my rules 00618 & 00619? >> > >> > I'd appreciate someone helping me out here., (or hitting me over the >> > head if I'm missing something simple and glaringly obvious) >> > >> > TIA >> > >> > Stacey >> > >> > >> > >> > -- >> > Stacey Roberts >> > B.Sc (HONS) Computer Science >> > >> > Web: www.vickiandstacey.com >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >-- >Stacey Roberts >B.Sc (HONS) Computer Science > >Web: www.vickiandstacey.com > -- Regards, D. Penev To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021027180957.GB240>