From owner-freebsd-questions Sat May 2 21:40:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA00351 for freebsd-questions-outgoing; Sat, 2 May 1998 21:40:15 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from gdi.uoregon.edu (gdi.uoregon.edu [128.223.170.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA00178 for ; Sat, 2 May 1998 21:40:01 -0700 (PDT) (envelope-from dwhite@gdi.uoregon.edu) Received: from localhost (dwhite@localhost) by gdi.uoregon.edu (8.8.7/8.8.8) with SMTP id VAA21704; Sat, 2 May 1998 21:39:59 -0700 (PDT) (envelope-from dwhite@gdi.uoregon.edu) Date: Sat, 2 May 1998 21:39:59 -0700 (PDT) From: Doug White Reply-To: Doug White To: Dima Dorfman cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW In-Reply-To: <3.0.5.32.19980501211444.00919bb0@mail.apc.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 1 May 1998, Dima Dorfman wrote: > Hi: > > I'm trying to deny UDP to my whole network, except DNS. I am using IPFW, > and Bind 8.1.1. Here are my rules: > > ipfw add 1 allow udp from any to 192.168.77.2 53 > ipfw add 2 deny udp from any to any > > It still doesn't work. DNS doesn't get through. I heard that bind uses > wired addresses which it isn't allowed to use, but 8.1.1 fixed that with a > line in the named.conf file. I added that line, but it still seems to be > responding on 138, 1050, 1051, ... This is correct -- you contact port 53 on the *server*, but the *client* gets a random port number. You need to allow traffic that is going out to port 53 and coming from port 53 -- basically, `allow udp from any to any 53'. Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message