From owner-freebsd-questions@FreeBSD.ORG Sat Jul 31 18:08:10 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 565AA16A4D0 for ; Sat, 31 Jul 2004 18:08:10 +0000 (GMT) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4E3743D4C for ; Sat, 31 Jul 2004 18:08:09 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta13.adelphia.net (InterMail vM.6.01.03.02 201-2131-111-104-20040324) with SMTP id <20040731180808.PEQL28609.mta13.adelphia.net@barbish>; Sat, 31 Jul 2004 14:08:08 -0400 From: "JJB" To: "James A. Coulter" , Date: Sat, 31 Jul 2004 14:08:04 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <000401c47721$07faf590$6e01a8c0@sabrina> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal Subject: RE: Firewall Rule Set not allowing access to DNS servers? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2004 18:08:10 -0000 Look back at the ipfw sample rule set and you will see that there are both udp and tcp protocol access to DSN. Also not that udp does not use setup keyword. # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state You DNS rules are # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state As you can see you have no tcp protocol statements. Your udp rules use setup keyword which is only for tcp rules so your udp packets never match this rule and default to getting blocked which is why you get log error messages and you can not access public internet. Also if you look closely at the first 4 ipfw log messages you will see first message is about ip address 193.0.14.129 which is the primary dns server pointed to by url search pn.at.cox.net in /etc/resolv.conf Change your DNS rules to look like this # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif keep-state $cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp from any to 68.105.161.20 53 out via $pif keep-state $cmd 024 $skip tcp from any to 193.0.14.129 53 out via $pif setup keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 026 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip tcp from any to 68.105.161.20 53 out via $pif setup keep-state -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of James A. Coulter Sent: Saturday, July 31, 2004 1:09 PM To: Barbish3@adelphia.net; freebsd-questions@freebsd.org Subject: RE: Firewall Rule Set not allowing access to DNS servers? My LAN is configured with static IP addresses, 192.168.1.x. I have no problems communicating within the LAN. I have full connectivity with the internet from every machine on my LAN when the firewall is open. When I use the rule set in question, I can ping and send mail but I cannot access the DNS servers listed in resolv.conf. These are the same DNS servers placed in resolv.conf when the firewall is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=8843 mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX ) status: active dc1: flags=8843 mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX ) status: active lp0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 faith0: flags=8002 mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. I did follow the comments. Please note the variable pif is set to dc1, my outside nic. ################ Start of IPFW rules file ############################### # Flush out the list before we begin. ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" skip="skipto 800" pif="dc1" # public interface name of Nic card # facing the public internet ################################################################# # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name ################################################################# $cmd 005 allow all from any to any via dc0 ################################################################# # No restrictions on Loopback Interface ################################################################# $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is ################################################################# $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the # the "dynamic" rules table by a allow keep-state statement. ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the # firewall on the private network or from this gateway server # destine for the public internet. ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network. ################################################################# # Deny all inbound traffic from non-routable reserved address spaces $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=name, 138=datagram, 139=session # Netbios is MS/Windows sharing services. # Block MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp from any to any 137 in via $pif $cmd 321 deny tcp from any to any 138 in via $pif $cmd 322 deny tcp from any to any 139 in via $pif $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain # the IP address of your ISP's DHCP server as it's the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to # the public internet. This is the same IP address you captured # and used in the outbound section. $cmd 360 allow udp from 172.19.17.22 to any 68 in via $pif keep-state # Allow in standard www function because I have apache server $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2 $cmd 370 allow tcp from any to me 8888 in via $pif setup limit src-addr 2 # Allow in secure FTP, Telnet, and SCP from public Internet $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled. # $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2 # Reject & Log all unauthorized incoming connections from the public internet $cmd 500 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public internet $cmd 550 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are $cmd 999 deny log all from any to any ################ End of IPFW rules file ############################### Here's all of today's security ouput: Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1649 193.0.14.129:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671 68.105.161.20:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1042 68.1.18.25:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4365 68.10.16.30:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365 68.105.161.20:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4325 68.1.18.25:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3378 68.10.16.30:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952 68.105.161.20:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1359 68.1.18.25:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4738 68.10.16.30:53 out via dc1 Jul 31 07:50:37 sara /kernel: ipfw: limit 10 reached on entry 550 Jul 31 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860 68.105.58.150:21 in via dc1 Jul 31 07:51:51 sara last message repeated 2 times Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3875 68.105.58.150:21 in via dc1 Jul 31 07:53:24 sara last message repeated 2 times Jul 31 07:53:32 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878 68.105.58.150:21 in via dc1 Jul 31 07:53:41 sara last message repeated 2 times Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3881 68.105.58.150:21 in via dc1 Jul 31 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500 Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.1.18.25:53 192.168.1.102:3232 in via dc1 Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53 192.168.1.102:3232 in via dc1 Jul 31 08:14:33 sara /kernel: ipfw: 65000 Deny UDP 10.2.184.1:67 255.255.255.255:68 in via dc1 Jul 31 08:15:28 sara last message repeated 2 times Jul 31 08:15:47 sara last message repeated 5 times Jul 31 08:15:47 sara /kernel: ipfw: limit 10 reached on entry 65000 Jul 31 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534 198.41.0.4:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4952 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2260 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087 68.10.16.30:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4914 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1849 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220 68.10.16.30:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw: limit 10 reached on entry 550 Here's rc.conf again: # -- sysinstall generated deltas -- # Sun Jul 4 10:40:48 2004 # Created: Sun Jul 4 10:40:48 2004 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. hostname="sara.mshome.net" ifconfig_dc1="DHCP" ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" kern_securelevel_enable="NO" linux_enable="YES" moused_enable="YES" named_enable="YES" nfs_client_enable="YES" nfs_reserved_port_only="YES" nfs_server_enable="YES" sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES" ntpd_enable="YES" inetd_enable="YES" gateway_enable="YES" natd_enable="YES" natd_interface="dc1" natd_flags="-dynamic" Here's dmesg.boot: Copyright (c) 1992-2004 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004 jcoulter@sara.mshome.net:/usr/obj/usr/src/sys/SARA Timecounter "i8254" frequency 1193182 Hz CPU: Intel Celeron (634.78-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x686 Stepping = 6 Features=0x383f9ff real memory = 134201344 (131056K bytes) avail memory = 127057920 (124080K bytes) Preloaded elf kernel "kernel" at 0xc0381000. Pentium Pro MTRR support enabled md0: Malloc disk Using $PIR table, 8 entries at 0xc00f0e80 npx0: on motherboard npx0: INT 16 interface pcib0: on motherboard pci0: on pcib0 agp0: mem 0xe4000000-0xe7ffffff at device 0.0 on pci0 pcib1: at device 1.0 on pci0 pci1: on pcib1 pci1: at 0.0 irq 11 isab0: at device 4.0 on pci0 isa0: on isab0 atapci0: port 0xb800-0xb80f at device 4.1 on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 uhci0: port 0xb400-0xb41f irq 9 at device 4.2 on pci0 usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered chip0: port 0xe800-0xe80f at device 4.3 on pci0 dc0: port 0xb000-0xb0ff mem 0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0 dc0: Ethernet address: 00:04:5a:76:55:f0 miibus0: on dc0 ukphy0: on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc1: port 0xa800-0xa8ff mem 0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0 dc1: Ethernet address: 00:a0:cc:33:e1:f6 miibus1: on dc1 dcphy0: on miibus1 dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto isa0: too many dependant configs (8) isa0: unexpected small tag 14 orm0: