From owner-freebsd-isp Thu Dec 20 14:11:40 2001 Delivered-To: freebsd-isp@freebsd.org Received: from c003.snv.cp.net (c003-h004.c003.snv.cp.net [209.228.32.218]) by hub.freebsd.org (Postfix) with SMTP id AC73E37B417 for ; Thu, 20 Dec 2001 14:11:28 -0800 (PST) Received: (cpmta 9609 invoked from network); 20 Dec 2001 14:11:27 -0800 Received: from 216.227.100.85 (HELO vector) by smtp.telocity.com (209.228.32.218) with SMTP; 20 Dec 2001 14:11:27 -0800 X-Sent: 20 Dec 2001 22:11:27 GMT From: "Dustin Puryear" To: Cc: Subject: RE: FreeBSD firewall and DNS Date: Thu, 20 Dec 2001 16:19:46 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > In all those examples you are allowing queries to be sent TO port 53 of a > dns server, but you are not allowing replies FROM port 53 of the dns > server. Which is why your very last rule is the only one that > makes things > work. allow udp from any to 10.0.0.5 is allowing the dns server to reply > form port 53 to your machine at 10.0.0.5. But isn't that the idea behind keep-state? Shouldn't the rule: 01400 divert 8668 ip from any to any via rl0 ... 02900 allow udp from 10.0.0.5 to any 53 keep-state Do this for us? > Also, someone else jump in, since when can you keep-state on udp based > traffic? Maybe I've just forgotten something along the way. This is from /etc/rc.firewall that came with stock FreeBSD: # Allow DNS queries out in the world ${fwcmd} add pass udp from ${oip} to any 53 keep-state I am just trying to tweak it for our use. Anyway, this assumes that the DNS query will originate from the firewall itself I believe. However, our DNS server is not located on the firewall but on a machine setup via static NAT inside our private network. Our DNS server has the private IP 10.0.0.5. All I know is that it is not working, and I can't figure out why. I have a feeling that it may have to do with NAT, but I'm not sure. From my perspective it should work. Anyway, I found that my dynamic rules are a bit funky. It seems that they are being build for both my private and public IP addresses for the DNS server: 02700 2 124 (T 0, # 56) ty 0 udp, aa.bb.cc.dd 1487 <-> 66.135.0.10 53 02900 8 1358 (T 0, # 245) ty 0 udp, 10.0.0.5 1487 <-> 66.135.0.10 53 Where aa.bb.cc.dd is my public IP. Regards, Dustin > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Eric Stanfield, K2Access > Keno Kozie Associates > 222 N LaSalle #1500 > Chicago, IL 60606 > (312) 332-3000 > > > > > > > "Dustin Puryear" > > To: > > Sent by: cc: > > owner-freebsd-isp@F Subject: > FreeBSD firewall and DNS > reeBSD.ORG > > > > > > 12/20/2001 02:54 PM > > > > > > > > > I am having problems configuring a FreeBSD 4.4-RELEASE firewall to allow a > DNS server to work. When I say "work" I mean it is unable to > resolve names. > Instead, it just times out. Please note that we are using static > NAT. Also, > the DNS server is NOT located on the firewall. (On a related > note, if I run > a DNS server on the firewall it works.) The DNS server does have a public > IP > address via the static NAT mapping, but I would think it should work > regardless. At least, for resolving names. > > Okay, so I have a firewall at 10.0.0.1 private a.b.c.d public. Via NAT the > DNS server, which will be for public use, has a private address > of 10.0.0.5 > and w.x.y.z public. If I install the DNS server on the firewall > and use the > rules: > > 01500 divert 8668 ip from any to any via rl0 > ... > 02600 allow udp from a.b.c.d to any 53 keep-state > 02700 allow tcp from a.b.c.d to any 53 keep-state > > The DNS server on the firewall works and can resolve names for > me. However, > if I put the DNS server on another internal machine and use the rules: > > 01500 divert 8668 ip from any to any via rl0 > ... > 02800 allow udp from w.x.y.z to any 53 keep-state > 02900 allow tcp from w.x.y.z to any 53 keep-state > > The internal server times out. Okay, so I am thinking that perhaps since > the > divert rule comes first I should be using the internal address: > > 01500 divert 8668 ip from any to any via rl0 > ... > 02800 allow udp from 10.0.0.5 to any 53 keep-state > 02900 allow tcp from 10.0.0.5 to any 53 keep-state > > Unfortunately, I get the same result. The DNS server cannot resolve the > name > and nslookup eventually times out. Now, I can make it work by adding the > rule: > > 03640 allow udp from any to 10.0.0.5 > > But why is this necessary? Assuming my DNS server does not need to be > accessible to external users I should just need to allow the server to hit > remote DNS server's and to expect replies via the keep-state. Am I missing > something here? > > BTW, I am including my full ruleset below just in case. > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow ip from any to any via nge0 > 00500 deny ip from 10.0.0.0/24 to any in recv rl0 > 00600 deny ip from a.b.c.0/26 to any in recv nge0 > 00700 deny ip from any to 10.0.0.0/8 via rl0 > 00800 deny ip from any to 172.16.0.0/12 via rl0 > 00900 deny ip from any to 192.168.0.0/16 via rl0 > 01000 deny ip from any to 0.0.0.0/8 via rl0 > 01100 deny ip from any to 169.254.0.0/16 via rl0 > 01200 deny ip from any to 192.0.2.0/24 via rl0 > 01300 deny ip from any to 224.0.0.0/4 via rl0 > 01400 deny ip from any to 240.0.0.0/4 via rl0 > 01500 divert 8668 ip from any to any via rl0 > 01600 deny ip from 10.0.0.0/8 to any via rl0 > 01700 deny ip from 172.16.0.0/12 to any via rl0 > 01800 deny ip from 192.168.0.0/16 to any via rl0 > 01900 deny ip from 0.0.0.0/8 to any via rl0 > 02000 deny ip from 169.254.0.0/16 to any via rl0 > 02100 deny ip from 192.0.2.0/24 to any via rl0 > 02200 deny ip from 224.0.0.0/4 to any via rl0 > 02300 deny ip from 240.0.0.0/4 to any via rl0 > 02400 allow tcp from any to any established > 02500 allow ip from any to any frag > 02600 allow udp from a.b.c.d to any 53 keep-state # for DNS on firewall > 02700 allow tcp from a.b.c.d to any 53 keep-state # "" > 02800 allow udp from w.x.y.z to any 53 keep-state # for DNS on > another box > 02900 allow tcp from w.x.y.z to any 53 keep-state # "" > 03000 allow tcp from any to 10.0.0.5 25 setup > 03100 allow tcp from any to 10.0.0.20 80 via rl0 setup # web > 03200 allow tcp from any to 10.0.0.21 80 via rl0 setup # web > 03300 allow tcp from any to any 22 setup > 03400 allow icmp from any to any keep-state > 03500 allow tcp from any to any setup > 03640 allow udp from any to 10.0.0.5 # crappy fix to allow DNS to work > 03900 deny log logamount 10 tcp from any to any in recv rl0 setup > 65535 deny ip from any to any > > Regards, Dustin > > --- > Dustin Puryear > Information Systems Consultant > http://members.telocity.com/~dpuryear > In the beginning the Universe was created. > This has been widely regarded as a bad move. - Douglas Adams > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message