Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 31 Jul 2004 14:02:58 -0400 (EDT)
From:      "Steve Bertrand" <iaccounts@ibctech.ca>
To:        "James A. Coulter" <james.coulter@cox.net>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: Firewall Rule Set not allowing access to DNS servers?
Message-ID:  <10697.64.39.177.47.1091296978.squirrel@64.39.177.47>
In-Reply-To: <000401c47721$07faf590$6e01a8c0@sabrina>
References:  <MIEPLLIBMLEEABPDBIEGEECPGIAA.Barbish3@adelphia.net> <000401c47721$07faf590$6e01a8c0@sabrina>

next in thread | previous in thread | raw e-mail | index | archive | help
> My LAN is configured with static IP addresses, 192.168.1.x.
>
> I have no problems communicating within the LAN.
>
> I have full connectivity with the internet from every machine on my
> LAN when
> the firewall is open.
>
> When I use the rule set in question, I can ping and send mail but I
> cannot
> access the DNS servers listed in resolv.conf.
>
> These are the same DNS servers placed in resolv.conf when the firewall
> is
> open.
>
> I'm sorry, but I never said dc1 was my inside nic.
>
> Again, I appreciate any help with this.  The files you requested
> follow.

Must admit, I'm in a hurry to leave for the day, so I haven't read the
ruleset etc, but what happens if you use the following entries, just
after the divert rule?:

...allow udp from any to any 53 keep-state
...allow udp from any 53 to any keep-state
...allow tcp from any to any 53 keep-state

Steve



>
> Here's my ifconfig - a:
>
> sara# ifconfig -a
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
>         inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1
>         ether 00:04:5a:76:55:f0
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2
>         inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255
>         ether 00:a0:cc:33:e1:f6
>         media: Ethernet autoselect (100baseTX <full-duplex>)
>         status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>         inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>
> Here's resolv.conf:
>
> sara# more /etc/resolv.conf
> search pn.at.cox.net
> nameserver 68.105.161.20
> nameserver 68.1.18.25
> nameserver 68.10.16.30
>
> Here's the entire rule set I'm trying to use.
>
> I did follow the comments.
>
> Please note the variable pif is set to dc1, my outside nic.
>
> ################ Start of IPFW rules file
> ###############################
> # Flush out the list before we begin.
> ipfw -q -f flush
> # Set rules command prefix
> cmd="ipfw -q add"
> skip="skipto 800"
> pif="dc1"     # public interface name of Nic card
>               # facing the public internet
>
>
>
> #################################################################
> # No restrictions on Inside Lan Interface for private network
> # Change xl0 to your Lan Nic card interface name
> #################################################################
> $cmd 005 allow all from any to any via dc0
>
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
> $cmd 010 allow all from any to any via lo0
>
> #################################################################
> # check if packet is inbound and nat address if it is
> #################################################################
> $cmd 014 divert natd ip from any to any in via $pif
>
> #################################################################
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by a allow keep-state statement.
> #################################################################
> $cmd 015 check-state
>
> #################################################################
> # Interface facing Public internet (Outbound Section)
> # Interrogate session start requests originating from behind the
> # firewall on the private network or from this gateway server
> # destine for the public internet.
> #################################################################
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup
> keep-state
> $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup
> keep-state
> $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup
> keep-state
>
> # Allow out access to my ISP's DHCP server for cable/DSL
> configurations.
> $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state
>
> # Allow out non-secure standard www function
> $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
>
> # Allow out secure www function https over TLS SSL
> $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
>
> # Allow out send & get email function
> $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
> $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
>
> # Allow out FBSD (make install & CVSUP) functions
> # Basically give user root "GOD" privileges.
> $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid
> root
>
> # Allow out ping
> $cmd 080 $skip icmp from any to any out via $pif keep-state
>
> # Allow out Time
> $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
>
> # Allow out nntp news (IE: news groups)
> $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
>
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
>
> # Allow out whois
> $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
>
> # Allow ntp time server
> $cmd 130 $skip udp from any to any 123 out via $pif keep-state
>
> #################################################################
> # Interface facing Public internet (Inbound Section)
> # Interrogate packets originating from the public internet
> # destine for this gateway server or the private network.
> #################################################################
>
> # Deny all inbound traffic from non-routable reserved address spaces
> $cmd 300 deny all from 192.168.0.0/16  to any in via $pif  #RFC 1918
> private
> IP
> $cmd 301 deny all from 172.16.0.0/12   to any in via $pif  #RFC 1918
> private
> IP
> $cmd 302 deny all from 10.0.0.0/8      to any in via $pif  #RFC 1918
> private
> IP
> $cmd 303 deny all from 127.0.0.0/8     to any in via $pif  #loopback
> $cmd 304 deny all from 0.0.0.0/8       to any in via $pif  #loopback
> $cmd 305 deny all from 169.254.0.0/16  to any in via $pif  #DHCP
> auto-config
> $cmd 306 deny all from 192.0.2.0/24    to any in via $pif  #reserved
> for
> doc's
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif  #Sun
> cluster
> $cmd 308 deny all from 224.0.0.0/3     to any in via $pif  #Class D &
> E
> multicast
>
> # Deny ident
> $cmd 315 deny tcp from any to any 113 in via $pif
>
> # Deny all Netbios service. 137=name, 138=datagram, 139=session
> # Netbios is MS/Windows sharing services.
> # Block MS/Windows hosts2 name server requests 81
> $cmd 320 deny tcp from any to any 137 in via $pif
> $cmd 321 deny tcp from any to any 138 in via $pif
> $cmd 322 deny tcp from any to any 139 in via $pif
> $cmd 323 deny tcp from any to any 81  in via $pif
>
> # Deny any late arriving packets
> $cmd 330 deny all from any to any frag in via $pif
>
> # Deny ACK packets that did not match the dynamic rule table
> $cmd 332 deny tcp from any to any established in via $pif
>
> # Allow traffic in from ISP's DHCP server. This rule must contain
> # the IP address of your ISP's DHCP server as it's the only
> # authorized source to send this packet type.
> # Only necessary for cable or DSL configurations.
> # This rule is not needed for 'user ppp' type connection to
> # the public internet. This is the same IP address you captured
> # and used in the outbound section.
> $cmd 360 allow udp from 172.19.17.22 to any 68 in via $pif keep-state
>
> # Allow in standard www function because I have apache server
> $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr
> 2
> $cmd 370 allow tcp from any to me 8888 in via $pif setup limit
> src-addr 2
>
> # Allow in secure FTP, Telnet, and SCP from public Internet
> $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr
> 2
>
> # Allow in non-secure Telnet session from public Internet
> # labeled non-secure because ID & PW are passed over public
> # internet as clear text.
> # Delete this sample group if you do not have telnet server enabled.
> # $cmd 390 allow tcp from any to me 23 in via $pif setup limit
> src-addr 2
>
> # Reject & Log all unauthorized incoming connections from the public
> internet
> $cmd 500 deny log all from any to any in via $pif
>
> # Reject & Log all unauthorized out going connections to the public
> internet
>
> $cmd 550 deny log all from any to any out via $pif
>
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> $cmd 801 allow ip from any to any
>
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> $cmd 999 deny log all from any to any
>
>
> ################ End of IPFW rules file
> ###############################
>
> Here's all of today's security ouput:
>
> Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1649
> 193.0.14.129:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671
> 68.105.161.20:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1042
> 68.1.18.25:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4365
> 68.10.16.30:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365
> 68.105.161.20:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4325
> 68.1.18.25:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3378
> 68.10.16.30:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952
> 68.105.161.20:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1359
> 68.1.18.25:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4738
> 68.10.16.30:53 out via dc1
> Jul 31 07:50:37 sara /kernel: ipfw: limit 10 reached on entry 550
> Jul 31 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860
> 68.105.58.150:21 in via dc1
> Jul 31 07:51:51 sara last message repeated 2 times
> Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3875
> 68.105.58.150:21 in via dc1
> Jul 31 07:53:24 sara last message repeated 2 times
> Jul 31 07:53:32 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878
> 68.105.58.150:21 in via dc1
> Jul 31 07:53:41 sara last message repeated 2 times
> Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3881
> 68.105.58.150:21 in via dc1
> Jul 31 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500
> Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.1.18.25:53
> 192.168.1.102:3232 in via dc1
> Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53
> 192.168.1.102:3232 in via dc1
> Jul 31 08:14:33 sara /kernel: ipfw: 65000 Deny UDP 10.2.184.1:67
> 255.255.255.255:68 in via dc1
> Jul 31 08:15:28 sara last message repeated 2 times
> Jul 31 08:15:47 sara last message repeated 5 times
> Jul 31 08:15:47 sara /kernel: ipfw: limit 10 reached on entry 65000
> Jul 31 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534
> 198.41.0.4:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178
> 68.105.161.20:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
> 68.1.18.25:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
> 68.10.16.30:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4952
> 68.105.161.20:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2260
> 68.1.18.25:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087
> 68.10.16.30:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4914
> 68.105.161.20:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1849
> 68.1.18.25:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220
> 68.10.16.30:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: limit 10 reached on entry 550
>
> Here's rc.conf again:
>
> # -- sysinstall generated deltas --
> # Sun Jul  4 10:40:48 2004
> # Created: Sun Jul  4 10:40:48 2004
> # Enable network daemons for user convenience.
> # Please make all changes to this file, not to /etc/defaults/rc.conf.
> # This file now contains just the overrides from
> /etc/defaults/rc.conf.
> hostname="sara.mshome.net"
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> firewall_enable="YES" firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> kern_securelevel_enable="NO"
> linux_enable="YES"
> moused_enable="YES"
> named_enable="YES"
> nfs_client_enable="YES"
> nfs_reserved_port_only="YES"
> nfs_server_enable="YES"
> sendmail_enable="YES"
> sshd_enable="YES"
> usbd_enable="YES"
> ntpd_enable="YES"
> inetd_enable="YES"
> gateway_enable="YES"
> natd_enable="YES"
> natd_interface="dc1"
> natd_flags="-dynamic"
>
> Here's dmesg.boot:
>
> Copyright (c) 1992-2004 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993,
> 1994
>         The Regents of the University of California. All rights
> reserved.
> FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004
>     jcoulter@sara.mshome.net:/usr/obj/usr/src/sys/SARA
> Timecounter "i8254"  frequency 1193182 Hz
> CPU: Intel Celeron (634.78-MHz 686-class CPU)
>   Origin = "GenuineIntel"  Id = 0x686  Stepping = 6
>
> Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,
> PAT,PSE36,MMX,FXSR,SSE>
> real memory  = 134201344 (131056K bytes)
> avail memory = 127057920 (124080K bytes)
> Preloaded elf kernel "kernel" at 0xc0381000.
> Pentium Pro MTRR support enabled
> md0: Malloc disk
> Using $PIR table, 8 entries at 0xc00f0e80
> npx0: <math processor> on motherboard
> npx0: INT 16 interface
> pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard
> pci0: <PCI bus> on pcib0
> agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem
> 0xe4000000-0xe7ffffff
> at device 0.0 on pci0
> pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at device 1.0 on
> pci0
> pci1: <PCI bus> on pcib1
> pci1: <ATI Mach64-GB graphics accelerator> at 0.0 irq 11
> isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0
> isa0: <ISA bus> on isab0
> atapci0: <Intel PIIX4 ATA33 controller> port 0xb800-0xb80f at device
> 4.1 on
> pci0
> ata0: at 0x1f0 irq 14 on atapci0
> ata1: at 0x170 irq 15 on atapci0
> uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xb400-0xb41f
> irq 9 at
> device 4.2 on pci0
> usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
> usb0: USB revision 1.0
> uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> chip0: <Intel 82371AB Power management controller> port 0xe800-0xe80f
> at
> device 4.3 on pci0
> dc0: <ADMtek AN985 10/100BaseTX> port 0xb000-0xb0ff mem
> 0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0
> dc0: Ethernet address: 00:04:5a:76:55:f0
> miibus0: <MII bus> on dc0
> ukphy0: <Generic IEEE 802.3u media interface> on miibus0
> ukphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> dc1: <LC82C115 PNIC II 10/100BaseTX> port 0xa800-0xa8ff mem
> 0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0
> dc1: Ethernet address: 00:a0:cc:33:e1:f6
> miibus1: <MII bus> on dc1
> dcphy0: <Intel 21143 NWAY media interface> on miibus1
> dcphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> isa0: too many dependant configs (8)
> isa0: unexpected small tag 14
> orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
> pmtimer0 on isa0
> fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on
> isa0
> fdc0: FIFO enabled, 8 bytes threshold
> fd0: <1440-KB 3.5" drive> on fdc0 drive 0
> atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
> atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
> kbd0 at atkbd0
> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on
> isa0
> sc0: <System console> at flags 0x100 on isa0
> sc0: VGA <16 virtual consoles, flags=0x300>
> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> sio0: type 16550A
> sio1 at port 0x2f8-0x2ff irq 3 on isa0
> sio1: type 16550A
> ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
> ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
> ppc0: FIFO with 16/16/9 bytes threshold
> plip0: <PLIP network interface> on ppbus0
> lpt0: <Printer> on ppbus0
> lpt0: Interrupt-driven port
> ppi0: <Parallel I/O> on ppbus0
> IP packet filtering initialized, divert enabled, rule-based forwarding
> enabled, default to deny, logging limited to 10 packets/entry by
> default
> ad0: DMA limited to UDMA33, non-ATA66 cable or device
> ad0: 19623MB <IBM-DTLA-305020> [39870/16/63] at ata0-master UDMA33
> acd0: CDROM <SONY CD-ROM CDU4821> at ata0-slave PIO4
> Mounting root from ufs:/dev/ad0s1a
>
> Thanks,
>
> Jim C.
>
>
>
>> -----Original Message-----
>> From: JJB [mailto:Barbish3@adelphia.net]
>> Sent: Saturday, July 31, 2004 10:28 AM
>> To: James A. Coulter; freebsd-questions@freebsd.org
>> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>>
>>
>> You better re-read what you posted in early post. You posted
>> that dc1 is your outside NIC, which is connected to your
>> cable modem which is connected to your ISP. Your outside NIC
>> needs DHCP to get ip and dns info from your ISP. NOW YOU SAY
>> dc1 IS INSIDE INTERFACE NAME.  Make up your mind which is correct.
>>
>> Verify you have correct  interface name coded in ipfw rules
>> for NIC connected to cable modem and that the same NIC
>> interface name is the one in rc.conf with DHCP option. When
>> DHCP gets DNS info from ISP /etc/resolv.conf will auto
>> updated with correct info. Read comments in sample firewall
>> source and follow what comments say.  You are making this
>> harder than it really is.
>>
>> Also there is no setup option on UDP packets just keepstate
>>
>> Post full contents of your current dmesg.boot, rc.conf,  ipfw
>> rule set, and ipfw log files so people can see just want you
>> have configured.  And answer question of how you are
>> assigning ip address to LAN PCs? Also post output of ifconfig
>> -a command after boot completes.
>>
>>
>> -----Original Message-----
>> From: owner-freebsd-questions@freebsd.org
>> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of
>> James A. Coulter
>> Sent: Saturday, July 31, 2004 9:55 AM
>> To: freebsd-questions@freebsd.org
>> Cc: Barbish3@adelphia.net
>> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>>
>> Thanks for the response. . .
>>
>> I changed rule 00005 from x10 to dc0 - thanks
>>
>> Not sure why I would want my inside nic requesting DHCP
>> service from my ISP. It has been working fine in the
>> configuration I have it so I've left it the way it is.
>>
>> I checked the security log, and found this:
>>
>> Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP
>> 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30
>> 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067
>> 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw:
>> 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1
>>
>> These are the three name servers specified in the rule set
>>
>> I checked the rule set and found this:
>>
>> # Allow out access to my ISP's Domain name server.
>> # x.x.x.x must be the IP address of your ISP's DNS
>> # Dup these lines if your ISP has more than one DNS server
>> # Get the IP addresses from /etc/resolv.conf file
>> $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif
>> setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53
>> out via $pif setup keep-state $cmd 022 $skip tcp from any to
>> 68.10.16.30 53 out via $pif setup keep-state
>>
>> Because security said the firewall was denying UDP packets, I
>> changed the rules to this:
>>
>> $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif
>> setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53
>> out via $pif setup keep-state $cmd 022 $skip udp from any to
>> 68.10.16.30 53 out via $pif setup keep-state
>>
>> But that hasn't helped.  I'm still getting:
>>
>> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP
>> 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31
>> 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
>> 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw:
>> 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1
>>
>> FWIW, these rules are skipping to:
>>
>> # This is skipto location for outbound stateful rules
>> $cmd 800 divert natd ip from any to any out via $pif
>> $cmd 801 allow ip from any to any
>>
>> I apologize for being such a bother and I do appreciate any
>> help or suggestions.
>>
>> TIA
>>
>> Jim C.
>>
>>
>>
>> > -----Original Message-----
>> > From: owner-freebsd-questions@freebsd.org
>> > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of JJB
>> > Sent: Friday, July 30, 2004 1:20 PM
>> > To: James A. Coulter; freebsd-questions@freebsd.org
>> > Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>> >
>> >
>> > Change this ipfw rule from
>> >
>> > 00005   allow ip from any to any via xl0
>> >
>> > To
>> > 00005   allow ip from any to any via dc0
>> >
>> > because dc0 is the lan interface name and not xl0.
>> >
>> >
>> > Change these statement in rc.conf because you have interface name
>> > backwards. Dc1 is the NIC connected to your cable modem and
>> you want
>> > to get DHCP info from your ISP. Dc0 is the NIC connected to
>> your LAN.
>> >
>> > From
>> > ifconfig_dc1="DHCP"
>> > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
>> >
>> > to
>> > ifconfig_dc0="DHCP"
>> > ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"
>> >
>> >
>> > You do not say how your LAN PCs get their ip address.
>> > You can hard code them on each LAN PC
>> > or you have to run isc-dhcp-server on your Gateway box to
>> auto assign
>> > ip address to LAN PCs.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: owner-freebsd-questions@freebsd.org
>> > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of James A.
>> > Coulter
>> > Sent: Friday, July 30, 2004 10:56 AM
>> > To: freebsd-questions@freebsd.org
>> > Subject: Firewall Rule Set not allowing access to DNS servers?
>> >
>> > I am using FreeBSD 4.10 as a gateway/router for a small
>> home LAN. My
>> > outside interface (dc1) is connected to a cable modem and is
>> > configured for DHCP.
>> >
>> > I have compiled and installed a custome kernel with IPFIREWALL and
>> > IPDIVERT options and with a rule set allowing any to any with no
>> > problems
>> >
>> > I am in the process of adding a proper rule set to provide
>> security. I
>> > was referred to
>> http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and
>> > installed the Stateful + NATD Rule Set modified for my
>> > outside interface, domain name servers, and DHCP server.
>> >
>> > I can ping IP addresses and pass SMTP mail back and forth from the
>> > gateway/router and all machines on the LAN, but I cannot
>> ping URLs - I
>> > am getting "ping: cannot resolve
>> > www.freebsd.org: Host name lookup failure" errors.
>> >
>> >
>> > This is what ipfw -a list looks like:
>> >
>> > sara# ipfw -a list
>> > 00005   0     0 allow ip from any to any via xl0
>> > 00010  52  3640 allow ip from any to any via lo0
>> > 00014   0     0 divert 8668 ip from any to any in recv dc1
>> > 00015   0     0 check-state
>> > 00020   0     0 skipto 800 tcp from any to 68.105.161.20 53
>> > keep-state out
>> > xmit dc1 setup
>> > 00021   0     0 skipto 800 tcp from any to 68.1.18.25 53
>> keep-state
>> > out xmit
>> > dc1 setup
>> > 00022   0     0 skipto 800 tcp from any to 68.10.16.30 53
>> keep-state
>> > out
>> > xmit dc1 setup
>> > 00030   0     0 skipto 800 udp from any to 172.19.17.22 67
>> > keep-state out
>> > xmit dc1
>> > 00040   0     0 skipto 800 tcp from any to any 80 keep-state out
>> > xmit dc1
>> > setup
>> > 00050   0     0 skipto 800 tcp from any to any 443 keep-state out
>> > xmit dc1
>> > setup
>> > 00060   0     0 skipto 800 tcp from any to any 25 keep-state out
>> > xmit dc1
>> > setup
>> > 00061   0     0 skipto 800 tcp from any to any 110 keep-state out
>> > xmit dc1
>> > setup
>> > 00070   0     0 skipto 800 tcp from me to any uid root keep-state
>> > out xmit
>> > dc1 setup
>> > 00080   0     0 skipto 800 icmp from any to any keep-state out
>> xmit
>> > dc1
>> > 00090   0     0 skipto 800 tcp from any to any 37 keep-state out
>> > xmit dc1
>> > setup
>> > 00100   0     0 skipto 800 tcp from any to any 119 keep-state out
>> > xmit dc1
>> > setup
>> > 00110   0     0 skipto 800 tcp from any to any 22 keep-state out
>> > xmit dc1
>> > setup
>> > 00120   0     0 skipto 800 tcp from any to any 43 keep-state out
>> > xmit dc1
>> > setup
>> > 00130   0     0 skipto 800 udp from any to any 123 keep-state out
>> > xmit dc1
>> > 00300   0     0 deny ip from 192.168.0.0/16 to any in recv dc1
>> > 00301   0     0 deny ip from 172.16.0.0/12 to any in recv dc1
>> > 00302   0     0 deny ip from 10.0.0.0/8 to any in recv dc1
>> > 00303   0     0 deny ip from 127.0.0.0/8 to any in recv dc1
>> > 00304   0     0 deny ip from 0.0.0.0/8 to any in recv dc1
>> > 00305   0     0 deny ip from 169.254.0.0/16 to any in recv dc1
>> > 00306   0     0 deny ip from 192.0.2.0/24 to any in recv dc1
>> > 00307   0     0 deny ip from 204.152.64.0/23 to any in recv dc1
>> > 00308   0     0 deny ip from 224.0.0.0/3 to any in recv dc1
>> > 00315   0     0 deny tcp from any to any 113 in recv dc1
>> > 00320   0     0 deny tcp from any to any 137 in recv dc1
>> > 00321   0     0 deny tcp from any to any 138 in recv dc1
>> > 00322   0     0 deny tcp from any to any 139 in recv dc1
>> > 00323   0     0 deny tcp from any to any 81 in recv dc1
>> > 00330   0     0 deny ip from any to any in recv dc1 frag
>> > 00332   0     0 deny tcp from any to any in recv dc1 established
>> > 00360   0     0 allow udp from 172.19.17.22 to any 68 keep-state
>> in
>> > recv dc1
>> > 00370   0     0 allow tcp from any to me 80 limit src-addr 2 in
>> recv
>> > dc1
>> > setup
>> > 00370   0     0 allow tcp from any to me 8888 limit src-addr 2 in
>> > recv dc1
>> > setup
>> > 00380   0     0 allow tcp from any to me 22 limit src-addr 2 in
>> recv
>> > dc1
>> > setup
>> > 00400   0     0 deny log logamount 10 ip from any to any in recv
>> dc1
>> > 00450  81  5288 deny log logamount 10 ip from any to any out xmit
>> dc1
>> > 00800   0     0 divert 8668 ip from any to any out xmit dc1
>> > 00801 645 59255 allow ip from any to any
>> > 00999   0     0 deny log logamount 10 ip from any to any
>> > 65535   1   347 deny ip from any to any
>> > This is what my /etc/rc.conf looks like:
>> >
>> > hostname="sara.mshome.net"
>> > ifconfig_dc1="DHCP"
>> > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
>> > firewall_enable="YES" firewall_script="/etc/ipfw.rules"
>> > firewall_logging="YES" kern_securelevel_enable="NO"
>> linux_enable="YES"
>> > moused_enable="YES" named_enable="YES" nfs_client_enable="YES"
>> > nfs_reserved_port_only="YES" nfs_server_enable="YES"
>> > sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES"
>> > ntpd_enable="YES" inetd_enable="YES" gateway_enable="YES"
>> > natd_enable="YES" natd_interface="dc1" natd_flags="-dynamic"
>> >
>> > Finally, this is what /etc/resolv.conf looks like:
>> >
>> > sara# more /etc/resolv.conf
>> > search pn.at.cox.net
>> > nameserver 68.105.161.20
>> > nameserver 68.1.18.25
>> > nameserver 68.10.16.30
>> >
>> > Any ideas?
>> >
>> > Thanks,
>> >
>> > Jim C.
>> >
>> > _______________________________________________
>> > freebsd-questions@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to
>> > "freebsd-questions-unsubscribe@freebsd.org"
>> >
>> > _______________________________________________
>> > freebsd-questions@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > To unsubscribe, send any mail to
>> > "freebsd-questions-unsubscribe@freebsd.org"
>> >
>>
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org"
>>
>>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10697.64.39.177.47.1091296978.squirrel>