Date: 01 Mar 2003 10:52:36 -0800 From: Mark <mw@lanfear.com> To: Bill Moran <wmoran@potentialtech.com> Cc: questions@freebsd.org Subject: Re: DNS and ipfw Message-ID: <1046544756.11595.13.camel@donburi> In-Reply-To: <3E60CEF2.3060304@potentialtech.com> References: <1046497302.10689.4.camel@donburi> <1046500933.10689.9.camel@donburi> <3E60CEF2.3060304@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2003-03-01 at 07:17, Bill Moran wrote: > Mark wrote: > > This is really wonky! I've tried all sorts of variations on the > > following rules: > > > > add pass tcp from any 53 to 10.0.0.0/24 > > add pass udp from any 53 to 10.0.0.0/24 > > add pass tcp from 10.0.0.0/24 to any 53 > > add pass udp from 10.0.0.0/24 to any 53 > > I'm assuming that you're not running a DNS cache on the firewall? So make > sure these rules come _after_ the divert rule. > > You'll need keep-state's on the udp rules. Although tcp port 53 is > registered to DNS, I've never actually seen it used. Here are some > rules to try: > > add pass udp from 10.0.0.0/24 to any 53 keep-state > add pass udp from any to any 53 keep-state via xx0 out That appears to have done the trick, thanks very much! That keep-state appears to be the key that I wasn't quite understanding. Now, we'll just hope I don't run into the same problem with FreeBSD 4.3 where after a week of running like this, DNS queries would suddenly stop getting through until I flushed and reset the firewall. Thanks again! ciao, Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1046544756.11595.13.camel>