Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Aug 2013 15:15:13 -0600
From:      Gary Aitken <vagabond@blackfoot.net>
To:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Cc:        lists.dan@gmail.com, OpenSlate ChalkDust <openslateproj@gmail.com>
Subject:   Re: ipfw confusion
Message-ID:  <52128AE1.8000102@blackfoot.net>
In-Reply-To: <CAAuBV2d1Fv=mUnJeY6j%2BS_=O859aPpBV1bEc_JFa_cdpy1=Ryw@mail.gmail.com>
References:  <5211B5E1.6040000@blackfoot.net> <CAAuBV2d1Fv=mUnJeY6j%2BS_=O859aPpBV1bEc_JFa_cdpy1=Ryw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 08/19/13 11:53, OpenSlate ChalkDust wrote:
> On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken <vagabond@blackfoot.net> wrote:
> 
>> I'm having some weird ipfw behavior, or it seems weird to me, and am
>> looking
>> for an explaination and then a way out.
>>
>> ipfw list
>> ...
>> 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup
>> keep-state
>> 21129 allow tcp from any to 12.32.36.65 dst-port 53 in via tun0 setup
>> keep-state
>> ...
>> 65534 deny log logamount 5 ip from any to any
>>
>> tail -f messages
>> Aug 18 23:33:06 nightmare named[914]: client 188.231.152.46#63877: error
>> sending response: permission denied
>>
>> 12.32.36.65 is the addr of the internal interface (xl0) on the firewall
>>   and is the public dns server.
>> 12.32.44.142 is the addr of the external interface (tun0) which is bridged
>> on a
>> dsl line.
>>
>> It appears that a dns request was allowed in, but the response was not
>> allowed
>> back out.  It seems to me the above rules 21109 and 21129 should have
>> allowed
>> the request in and the response back out.
>>
>> It's possible a request could come in on 12.32.44.142,
>> which is why 21109 is present;
>> although I know I am getting failures to reply to refresh requests
>> from a secondary addressed to 12.32.36.65
>>
>> What am I missing?
>>
>> I think you need explict rules like
> 
> nnnnn allow tcp from 12.32.44.142 to any dst-port 53 out via tun0 setup
> keep-state

Why would rules like that be necessary, given the conversation is initiated
from the outside?  Shouldn't "setup keep-state" let the whole conversation, 
both directions, through?

On 08/19/13 13:36, Dan Lists wrote:

> Do you have a check-state rule earlier in your rules?
> 
> 1000 check-state

Yes:

00500 check-state

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52128AE1.8000102>