Date: Sat, 16 Dec 2000 01:10:16 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Carlos Andrade <carlos@rjstech.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: right Message-ID: <20001216011016.N96105@149.211.6.64.reflexcom.com> In-Reply-To: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com>; from carlos@rjstech.com on Fri, Dec 15, 2000 at 03:31:13PM -0700 References: <000801c066e6$bb7e4620$fa01a8c0@rjstech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 15, 2000 at 03:31:13PM -0700, Carlos Andrade wrote:
> So the email list found some typo's (which is good, the typos bad).
And more below, or are these the same ones?
> And I
> have my machine on a crossover cable, life is peachy right? wrong...
>
> for some reason I cannot get dns to work. I can send email and receive
> email since I was able to hobble the ip's of my pop and smtp servers. So I
> look at my rc.firewall (attached) and well I cannot figure out why I can do
> things using IP's but not names. Its one thing for me to do this, its
> another for the rest of the office to do it. For that matter I don't know
> of the top of my head the ip for www.yahoo.com. So I beseech this email
> list, what am I doing wrong?
[snip]
> case ${firewall_type} in
> [Ss][Ii][Mm][Pp][Ll][Ee])
>
> # I deleted open and client, too many conflicts
> # so we go directly in to simple
> # This is a prototype setup for a simple firewall. Configure this
> # machine as a named server and ntp server, and point all the machines
> # on the inside at this machine for those services.
> ############
>
> # set these to your outside interface network and netmask and ip
> oif="xl0"
> onet="206.249.222.0"
> omask="255.255.255.224"
> oip="206.249.222.226"
>
> # set these to your inside interface network and netmask and ip
> iif="xl1"
> inet="192.168.1.0"
> imask="255.255.255.224"
> iip="192.168.1.225"
Errr... These numbers do not all agree. Your IP address is outside of
your network, or your netmask is too small, or your network is in the
wrong place.
> #dns servers
> #dns1="204.90.111.2"
> #dns2="205.137.48.5"
[snip]
> # UPD STUFF
>
> # Allow access to our DNS
> #${fwcmd} add 2900 pass upd from any to ${dns1} 53 setup
> #${fwcmd} add 3000 pass upd from any to ${dns2} 53 setup
> #${fwcmd} add 3100 pass udp from ${dns1} 53 to any
> #${fwcmd} add 3200 pass udp from ${dns2} 53 to any
>
> ${fwcmd} add 2900 pass udp from any 53 to ${oip}
OK, this should let DNS back to your gateway.
> ${fwcmd} add 3000 pass udp from ${oip} 53 to any
> ${fwcmd} add 3100 pass tcp from any to ${oip} 53 setup
These say that you want your gateway (or perhaps a machine behind it)
to function as a DNS server?
I don't see a rule allowing the port 53 traffic onto you private
net. Nor do I see a rule allowing DNS out. Why did you use different
rules rather than fix the problems with the ones you have commented
out?
> # SMB - allow local traffic
> ${fwcmd} add 3300 pass udp from any to any 137-139 via ${iif}
Ouch. Why?
> # Allow NTP queries out in the world BUT we do it like this
> # allow server-server on outside interface
> # allow client-server on inside interface
> ${fwcmd} add 3400 pass udp from any 123 to any 123 via ${oif}
> ${fwcmd} add 3500 pass udp from any 123 to any 123 via ${iif}
> ${fwcmd} add 3600 pass udp from any to any 123 via ${iif}
Rule 3500 is a subset of rule 3600. Rule 3400 and 3500 could be made
into a single,
${fwcmd} add 3400 pass udp from any 123 to any 123
[snip]
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001216011016.N96105>