Date: Sat, 31 Jul 2004 08:55:14 -0500 From: "James A. Coulter" <james.coulter@cox.net> To: <freebsd-questions@freebsd.org> Cc: Barbish3@adelphia.net Subject: RE: Firewall Rule Set not allowing access to DNS servers? Message-ID: <000d01c47706$03a153b0$6e01a8c0@sabrina> In-Reply-To: <MIEPLLIBMLEEABPDBIEGCECAGIAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the response. . . I changed rule 00005 from x10 to dc0 - thanks Not sure why I would want my inside nic requesting DHCP service from my = ISP. It has been working fine in the configuration I have it so I've left it = the way it is. I checked the security log, and found this: Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 These are the three name servers specified in the rule set I checked the rule set and found this: # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup = keep-state $cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup = keep-state Because security said the firewall was denying UDP packets, I changed = the rules to this: $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup = keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup = keep-state But that hasn't helped. I'm still getting: Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 FWIW, these rules are skipping to: # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any I apologize for being such a bother and I do appreciate any help or suggestions. TIA Jim C. =20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org=20 > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of JJB > Sent: Friday, July 30, 2004 1:20 PM > To: James A. Coulter; freebsd-questions@freebsd.org > Subject: RE: Firewall Rule Set not allowing access to DNS servers? >=20 >=20 > Change this ipfw rule from >=20 > 00005 allow ip from any to any via xl0 >=20 > To > 00005 allow ip from any to any via dc0 >=20 > because dc0 is the lan interface name and not xl0. >=20 >=20 > Change these statement in rc.conf because you have interface=20 > name backwards. Dc1 is the NIC connected to your cable modem=20 > and you want to get DHCP info from your ISP. Dc0 is the NIC=20 > connected to your LAN. >=20 > From > ifconfig_dc1=3D"DHCP" > ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0" >=20 > to > ifconfig_dc0=3D"DHCP" > ifconfig_dc1=3D"inet 192.168.1.1 netmask 255.255.255.0" >=20 >=20 > You do not say how your LAN PCs get their ip address. > You can hard code them on each LAN PC > or you have to run isc-dhcp-server on your Gateway box to=20 > auto assign ip address to LAN PCs. >=20 >=20 >=20 >=20 >=20 >=20 >=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of=20 > James A. Coulter > Sent: Friday, July 30, 2004 10:56 AM > To: freebsd-questions@freebsd.org > Subject: Firewall Rule Set not allowing access to DNS servers? >=20 > I am using FreeBSD 4.10 as a gateway/router for a small home=20 > LAN. My outside interface (dc1) is connected to a cable modem=20 > and is configured for DHCP. >=20 > I have compiled and installed a custome kernel with=20 > IPFIREWALL and IPDIVERT options and with a rule set allowing=20 > any to any with no problems >=20 > I am in the process of adding a proper rule set to provide=20 > security. I was referred to=20 > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and=20 > installed the Stateful + NATD Rule Set modified for my=20 > outside interface, domain name servers, and DHCP server. >=20 > I can ping IP addresses and pass SMTP mail back and forth=20 > from the gateway/router and all machines on the LAN, but I=20 > cannot ping URLs - I am getting "ping: cannot resolve=20 > www.freebsd.org: Host name lookup failure" errors. >=20 >=20 > This is what ipfw -a list looks like: >=20 > sara# ipfw -a list > 00005 0 0 allow ip from any to any via xl0 > 00010 52 3640 allow ip from any to any via lo0 > 00014 0 0 divert 8668 ip from any to any in recv dc1 > 00015 0 0 check-state > 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 > keep-state out > xmit dc1 setup > 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state > out xmit > dc1 setup > 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state > out > xmit dc1 setup > 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 > keep-state out > xmit dc1 > 00040 0 0 skipto 800 tcp from any to any 80 keep-state out > xmit dc1 > setup > 00050 0 0 skipto 800 tcp from any to any 443 keep-state out > xmit dc1 > setup > 00060 0 0 skipto 800 tcp from any to any 25 keep-state out > xmit dc1 > setup > 00061 0 0 skipto 800 tcp from any to any 110 keep-state out > xmit dc1 > setup > 00070 0 0 skipto 800 tcp from me to any uid root keep-state > out xmit > dc1 setup > 00080 0 0 skipto 800 icmp from any to any keep-state out xmit > dc1 > 00090 0 0 skipto 800 tcp from any to any 37 keep-state out > xmit dc1 > setup > 00100 0 0 skipto 800 tcp from any to any 119 keep-state out > xmit dc1 > setup > 00110 0 0 skipto 800 tcp from any to any 22 keep-state out > xmit dc1 > setup > 00120 0 0 skipto 800 tcp from any to any 43 keep-state out > xmit dc1 > setup > 00130 0 0 skipto 800 udp from any to any 123 keep-state out > xmit dc1 > 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1 > 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1 > 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1 > 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1 > 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1 > 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1 > 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1 > 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1 > 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1 > 00315 0 0 deny tcp from any to any 113 in recv dc1 > 00320 0 0 deny tcp from any to any 137 in recv dc1 > 00321 0 0 deny tcp from any to any 138 in recv dc1 > 00322 0 0 deny tcp from any to any 139 in recv dc1 > 00323 0 0 deny tcp from any to any 81 in recv dc1 > 00330 0 0 deny ip from any to any in recv dc1 frag > 00332 0 0 deny tcp from any to any in recv dc1 established > 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state in > recv dc1 > 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in recv > dc1 > setup > 00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in > recv dc1 > setup > 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in recv > dc1 > setup > 00400 0 0 deny log logamount 10 ip from any to any in recv dc1 > 00450 81 5288 deny log logamount 10 ip from any to any out xmit dc1 > 00800 0 0 divert 8668 ip from any to any out xmit dc1 > 00801 645 59255 allow ip from any to any > 00999 0 0 deny log logamount 10 ip from any to any > 65535 1 347 deny ip from any to any > This is what my /etc/rc.conf looks like: >=20 > hostname=3D"sara.mshome.net" > ifconfig_dc1=3D"DHCP" > ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0"=20 > firewall_enable=3D"YES" firewall_script=3D"/etc/ipfw.rules"=20 > firewall_logging=3D"YES" kern_securelevel_enable=3D"NO"=20 > linux_enable=3D"YES" moused_enable=3D"YES" named_enable=3D"YES"=20 > nfs_client_enable=3D"YES" nfs_reserved_port_only=3D"YES"=20 > nfs_server_enable=3D"YES" sendmail_enable=3D"YES"=20 > sshd_enable=3D"YES" usbd_enable=3D"YES" ntpd_enable=3D"YES"=20 > inetd_enable=3D"YES" gateway_enable=3D"YES" natd_enable=3D"YES"=20 > natd_interface=3D"dc1" natd_flags=3D"-dynamic" >=20 > Finally, this is what /etc/resolv.conf looks like: >=20 > sara# more /etc/resolv.conf > search pn.at.cox.net > nameserver 68.105.161.20 > nameserver 68.1.18.25 > nameserver 68.10.16.30 >=20 > Any ideas? >=20 > Thanks, >=20 > Jim C. >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c47706$03a153b0$6e01a8c0>