Date: Tue, 19 Oct 1999 19:17:32 -0700 From: Bryan Talbot <btalbot@ucsd.edu> To: matt <matt@BabCom.ORG>, FreeBSD-STABLE <stable@FreeBSD.ORG> Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <4.2.0.58.19991019191102.00a7b7a0@ekimaphost> In-Reply-To: <Pine.BSF.4.20.9910192103180.8578-100000@s01.arpa-canada.ne t>
next in thread | previous in thread | raw e-mail | index | archive | help
Your problem is that the dns server is not responding from port 53 as is
customary. The first ipfw rule allows dns query responses originating only
from port 53; however, it is possible to configure a name server so that
query responses originate from some other port number.
> I think I need more coffee, or more sleep. I'm completly not thinking.
> You do need the rule from /usr/src/etc/rc.firewall... I ended up needing
> this to make it work;;
> ipfw -q add allow udp from any to 209.104.122.0/24 53
> ipfw -q add allow udp from any 53 to 209.104.122.0/24
BTW, the solution above to allow UDP packets which originate from any
machines port 53 is pretty weak. Any datagram from any host will pass
through your firewall as long as it originates from port 53. This is a
pretty common thing to check for when probing firewalls, I'm sure.
Get some sleep and turn on firewall logging so you can see why packets are
being rejected/accepted.
-Bryan
At 06:11 PM 10/19/99 , matt wrote:
>Hello,
>
> I don't know if this is what I think it is, but it sure took me
>back a little bit. Please note that I may be totally wrong, but here is
>what I expierenced on *MY* two FreeBSD 3.3-STABLE machines:
>
>IPFW rules for DNS udp like this:
>
>ipfw -q add allow udp from any 53 to 209.104.122.0/24
>..... much later on .....
>ipfw -q add deny udp from any to 209.104.122.0/24
>
>now this udp allow for dns comes straight from /usr/src/etc/rc.firewall.
><--- quote
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${ip}
> $fwcmd add pass udp from ${ip} to any 53
>end quote --->
>
>This, totally broke anyone else being able to lookup domains served by my
>namservers, a thought meant doing this;
>
>ipfw -q add allow udp from any to 209.104.122.0/24 53
>
>Which worked perfectly fine. I have not taken the time to dig into the
>problem, I haven't slept, and am quite too tired to do this tonight. I
>am reporting what I saw on my machine with the example not working. This
>is probably just a matter of updating the example rc.firewall? I'll leave
>it to the big boys to decide. Thanks.
=====================================================================
COMPONENT EQUIVALENCY NOTICE: The subatomic particles (Electrons,
Protons, etc.) comprising this message are exactly the same in
every measurable respect as those used in the messages of other
people, and no claim to the contrary may legitimately be expressed
or implied.
=====================================================================
"I think not!" said Descartes, who promptly disappeared.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19991019191102.00a7b7a0>