From owner-freebsd-stable Wed Oct 20 0:50:46 1999 Delivered-To: freebsd-stable@freebsd.org Received: from relay.ucb.crimea.ua (UCB-Async4-CRISCO.CRIS.NET [212.110.129.130]) by hub.freebsd.org (Postfix) with ESMTP id 464D31AFD3 for ; Wed, 20 Oct 1999 00:49:08 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.9.3/8.9.3/UCB) id KAA31205; Wed, 20 Oct 1999 10:47:49 +0300 (EEST) (envelope-from ru) Date: Wed, 20 Oct 1999 10:47:49 +0300 From: Ruslan Ermilov To: matt Cc: FreeBSD-STABLE Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <19991020104749.B17206@relay.ucb.crimea.ua> Mail-Followup-To: matt , FreeBSD-STABLE References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.3i In-Reply-To: ; from matt on Tue, Oct 19, 1999 at 09:11:33PM -0400 X-Operating-System: FreeBSD 3.3-STABLE i386 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Oct 19, 1999 at 09:11:33PM -0400, matt wrote: > > Hello, > > I don't know if this is what I think it is, but it sure took me > back a little bit. Please note that I may be totally wrong, but here is > what I expierenced on *MY* two FreeBSD 3.3-STABLE machines: > > IPFW rules for DNS udp like this: > > ipfw -q add allow udp from any 53 to 209.104.122.0/24 > ..... much later on ..... > ipfw -q add deny udp from any to 209.104.122.0/24 > > now this udp allow for dns comes straight from /usr/src/etc/rc.firewall. > <--- quote > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${ip} > $fwcmd add pass udp from ${ip} to any 53 > end quote ---> > You took these rules from the wrong place, they belong to the `client' section, while you are talking about the server side. > This, totally broke anyone else being able to lookup domains served by my > namservers, a thought meant doing this; > > ipfw -q add allow udp from any to 209.104.122.0/24 53 > > Which worked perfectly fine. I have not taken the time to dig into the > problem, I haven't slept, and am quite too tired to do this tonight. I > am reporting what I saw on my machine with the example not working. This > is probably just a matter of updating the example rc.firewall? I'll leave > it to the big boys to decide. Thanks. > Yes, src/etc/rc.firewall is incomplete, it misses two rules for incoming UDP queries. # Allow access to our DNS allow tcp from any to ${oip} 53 setup # zone transfers allow udp from any to ${oip} 53 # incoming DNS queries (missing) allow udp from ${oip} 53 to any # answers to these queries (missing) # Allow DNS queries out in the world allow udp from ${oip} to any 53 # outgoing DNS queries allow udp from any 53 to ${oip} # answers to these queries -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message