Date: Sat, 31 Jul 2004 12:08:41 -0500 From: "James A. Coulter" <james.coulter@cox.net> To: <Barbish3@adelphia.net>, <freebsd-questions@freebsd.org> Subject: RE: Firewall Rule Set not allowing access to DNS servers? Message-ID: <000401c47721$07faf590$6e01a8c0@sabrina> In-Reply-To: <MIEPLLIBMLEEABPDBIEGEECPGIAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
My LAN is configured with static IP addresses, 192.168.1.x. =20 I have no problems communicating within the LAN. =20 I have full connectivity with the internet from every machine on my LAN = when the firewall is open. When I use the rule set in question, I can ping and send mail but I = cannot access the DNS servers listed in resolv.conf. =20 These are the same DNS servers placed in resolv.conf when the firewall = is open. I'm sorry, but I never said dc1 was my inside nic. Again, I appreciate any help with this. The files you requested follow. Here's my ifconfig - a: sara# ifconfig -a dc0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1 ether 00:04:5a:76:55:f0 media: Ethernet autoselect (100baseTX <full-duplex>) status: active dc1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2 inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255 ether 00:a0:cc:33:e1:f6 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lp0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=3Dc010<POINTOPOINT,LINK2,MULTICAST> mtu 552 faith0: flags=3D8002<BROADCAST,MULTICAST> mtu 1500 Here's resolv.conf: sara# more /etc/resolv.conf search pn.at.cox.net nameserver 68.105.161.20 nameserver 68.1.18.25 nameserver 68.10.16.30 Here's the entire rule set I'm trying to use. =20 I did follow the comments.=20 Please note the variable pif is set to dc1, my outside nic. ################ Start of IPFW rules file = ###############################=20 # Flush out the list before we begin.=20 ipfw -q -f flush # Set rules command prefix cmd=3D"ipfw -q add" skip=3D"skipto 800" pif=3D"dc1" # public interface name of Nic card # facing the public internet ################################################################# # No restrictions on Inside Lan Interface for private network # Change xl0 to your Lan Nic card interface name=20 ################################################################# $cmd 005 allow all from any to any via dc0 ################################################################# # No restrictions on Loopback Interface=20 ################################################################# $cmd 010 allow all from any to any via lo0 ################################################################# # check if packet is inbound and nat address if it is=20 ################################################################# $cmd 014 divert natd ip from any to any in via $pif ################################################################# # Allow the packet through if it has previous been added to the=20 # the "dynamic" rules table by a allow keep-state statement.=20 ################################################################# $cmd 015 check-state ################################################################# # Interface facing Public internet (Outbound Section) # Interrogate session start requests originating from behind the=20 # firewall on the private network or from this gateway server=20 # destine for the public internet.=20 ################################################################# # Allow out access to my ISP's Domain name server. # x.x.x.x must be the IP address of your ISP's DNS # Dup these lines if your ISP has more than one DNS server # Get the IP addresses from /etc/resolv.conf file $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup keep-state=20 $cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup = keep-state=20 $cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup = keep-state # Allow out access to my ISP's DHCP server for cable/DSL configurations. = $cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state # Allow out non-secure standard www function $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state # Allow out secure www function https over TLS SSL $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state # Allow out send & get email function $cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state=20 $cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state # Allow out FBSD (make install & CVSUP) functions # Basically give user root "GOD" privileges. $cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root # Allow out ping $cmd 080 $skip icmp from any to any out via $pif keep-state # Allow out Time $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state # Allow out nntp news (IE: news groups) $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state # Allow out secure FTP, Telnet, and SCP # This function is using SSH (secure shell) $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state # Allow out whois $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state # Allow ntp time server $cmd 130 $skip udp from any to any 123 out via $pif keep-state ################################################################# # Interface facing Public internet (Inbound Section) # Interrogate packets originating from the public internet # destine for this gateway server or the private network.=20 ################################################################# # Deny all inbound traffic from non-routable reserved address spaces=20 $cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 = private IP $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 = private IP $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 = private IP $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback $cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP = auto-config $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for doc's $cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E multicast # Deny ident $cmd 315 deny tcp from any to any 113 in via $pif # Deny all Netbios service. 137=3Dname, 138=3Ddatagram, 139=3Dsession=20 # Netbios is MS/Windows sharing services.=20 # Block MS/Windows hosts2 name server requests 81=20 $cmd 320 deny tcp from any to any 137 in via $pif=20 $cmd 321 deny tcp from any to any 138 in via $pif=20 $cmd 322 deny tcp from any to any 139 in via $pif=20 $cmd 323 deny tcp from any to any 81 in via $pif # Deny any late arriving packets $cmd 330 deny all from any to any frag in via $pif # Deny ACK packets that did not match the dynamic rule table=20 $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain=20 # the IP address of your ISP's DHCP server as it's the only=20 # authorized source to send this packet type.=20 # Only necessary for cable or DSL configurations.=20 # This rule is not needed for 'user ppp' type connection to=20 # the public internet. This is the same IP address you captured=20 # and used in the outbound section.=20 $cmd 360 allow udp from 172.19.17.22 to any 68 in via $pif keep-state # Allow in standard www function because I have apache server=20 $cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2=20 $cmd 370 allow tcp from any to me 8888 in via $pif setup limit src-addr = 2 # Allow in secure FTP, Telnet, and SCP from public Internet=20 $cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2 # Allow in non-secure Telnet session from public Internet # labeled non-secure because ID & PW are passed over public # internet as clear text. # Delete this sample group if you do not have telnet server enabled.=20 # $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr = 2 # Reject & Log all unauthorized incoming connections from the public internet=20 $cmd 500 deny log all from any to any in via $pif # Reject & Log all unauthorized out going connections to the public = internet $cmd 550 deny log all from any to any out via $pif # This is skipto location for outbound stateful rules $cmd 800 divert natd ip from any to any out via $pif $cmd 801 allow ip from any to any # Everything else is denied by default # deny and log all packets that fell through to see what they are=20 $cmd 999 deny log all from any to any ################ End of IPFW rules file ############################### Here's all of today's security ouput: Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1649 193.0.14.129:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671 68.105.161.20:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1042 68.1.18.25:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4365 68.10.16.30:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365 68.105.161.20:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4325 68.1.18.25:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3378 68.10.16.30:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952 68.105.161.20:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1359 68.1.18.25:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4738 68.10.16.30:53 out via dc1=20 Jul 31 07:50:37 sara /kernel: ipfw: limit 10 reached on entry 550=20 Jul 31 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860 68.105.58.150:21 in via dc1=20 Jul 31 07:51:51 sara last message repeated 2 times=20 Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3875 68.105.58.150:21 in via dc1=20 Jul 31 07:53:24 sara last message repeated 2 times=20 Jul 31 07:53:32 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878 68.105.58.150:21 in via dc1=20 Jul 31 07:53:41 sara last message repeated 2 times=20 Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3881 68.105.58.150:21 in via dc1=20 Jul 31 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500=20 Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.1.18.25:53 192.168.1.102:3232 in via dc1=20 Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53 192.168.1.102:3232 in via dc1=20 Jul 31 08:14:33 sara /kernel: ipfw: 65000 Deny UDP 10.2.184.1:67 255.255.255.255:68 in via dc1=20 Jul 31 08:15:28 sara last message repeated 2 times=20 Jul 31 08:15:47 sara last message repeated 5 times=20 Jul 31 08:15:47 sara /kernel: ipfw: limit 10 reached on entry 65000=20 Jul 31 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534 198.41.0.4:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4952 68.105.161.20:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2260 68.1.18.25:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087 68.10.16.30:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4914 68.105.161.20:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1849 68.1.18.25:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220 68.10.16.30:53 out via dc1=20 Jul 31 08:31:21 sara /kernel: ipfw: limit 10 reached on entry 550 Here's rc.conf again: # -- sysinstall generated deltas --=20 # Sun Jul 4 10:40:48 2004=20 # Created: Sun Jul 4 10:40:48 2004=20 # Enable network daemons for user convenience.=20 # Please make all changes to this file, not to /etc/defaults/rc.conf.=20 # This file now contains just the overrides from /etc/defaults/rc.conf.=20 hostname=3D"sara.mshome.net"=20 ifconfig_dc1=3D"DHCP"=20 ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0"=20 firewall_enable=3D"YES" firewall_script=3D"/etc/ipfw.rules"=20 firewall_logging=3D"YES"=20 kern_securelevel_enable=3D"NO"=20 linux_enable=3D"YES"=20 moused_enable=3D"YES"=20 named_enable=3D"YES"=20 nfs_client_enable=3D"YES"=20 nfs_reserved_port_only=3D"YES"=20 nfs_server_enable=3D"YES"=20 sendmail_enable=3D"YES"=20 sshd_enable=3D"YES"=20 usbd_enable=3D"YES"=20 ntpd_enable=3D"YES"=20 inetd_enable=3D"YES"=20 gateway_enable=3D"YES"=20 natd_enable=3D"YES"=20 natd_interface=3D"dc1"=20 natd_flags=3D"-dynamic"=20 Here's dmesg.boot: Copyright (c) 1992-2004 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights = reserved. FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004 jcoulter@sara.mshome.net:/usr/obj/usr/src/sys/SARA Timecounter "i8254" frequency 1193182 Hz CPU: Intel Celeron (634.78-MHz 686-class CPU) Origin =3D "GenuineIntel" Id =3D 0x686 Stepping =3D 6 =20 Features=3D0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,= CMOV, PAT,PSE36,MMX,FXSR,SSE> real memory =3D 134201344 (131056K bytes) avail memory =3D 127057920 (124080K bytes) Preloaded elf kernel "kernel" at 0xc0381000. Pentium Pro MTRR support enabled md0: Malloc disk Using $PIR table, 8 entries at 0xc00f0e80 npx0: <math processor> on motherboard npx0: INT 16 interface pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard pci0: <PCI bus> on pcib0 agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem = 0xe4000000-0xe7ffffff at device 0.0 on pci0 pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at device 1.0 on = pci0 pci1: <PCI bus> on pcib1 pci1: <ATI Mach64-GB graphics accelerator> at 0.0 irq 11 isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel PIIX4 ATA33 controller> port 0xb800-0xb80f at device 4.1 = on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xb400-0xb41f irq = 9 at device 4.2 on pci0 usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered chip0: <Intel 82371AB Power management controller> port 0xe800-0xe80f at device 4.3 on pci0 dc0: <ADMtek AN985 10/100BaseTX> port 0xb000-0xb0ff mem 0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0 dc0: Ethernet address: 00:04:5a:76:55:f0 miibus0: <MII bus> on dc0 ukphy0: <Generic IEEE 802.3u media interface> on miibus0 ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc1: <LC82C115 PNIC II 10/100BaseTX> port 0xa800-0xa8ff mem 0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0 dc1: Ethernet address: 00:a0:cc:33:e1:f6 miibus1: <MII bus> on dc1 dcphy0: <Intel 21143 NWAY media interface> on miibus1 dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto isa0: too many dependant configs (8) isa0: unexpected small tag 14 orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0 pmtimer0 on isa0 fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on = isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on = isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio1 at port 0x2f8-0x2ff irq 3 on isa0 sio1: type 16550A ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold plip0: <PLIP network interface> on ppbus0 lpt0: <Printer> on ppbus0 lpt0: Interrupt-driven port ppi0: <Parallel I/O> on ppbus0 IP packet filtering initialized, divert enabled, rule-based forwarding enabled, default to deny, logging limited to 10 packets/entry by default ad0: DMA limited to UDMA33, non-ATA66 cable or device ad0: 19623MB <IBM-DTLA-305020> [39870/16/63] at ata0-master UDMA33 acd0: CDROM <SONY CD-ROM CDU4821> at ata0-slave PIO4 Mounting root from ufs:/dev/ad0s1a Thanks, Jim C. =20 > -----Original Message----- > From: JJB [mailto:Barbish3@adelphia.net]=20 > Sent: Saturday, July 31, 2004 10:28 AM > To: James A. Coulter; freebsd-questions@freebsd.org > Subject: RE: Firewall Rule Set not allowing access to DNS servers? >=20 >=20 > You better re-read what you posted in early post. You posted=20 > that dc1 is your outside NIC, which is connected to your=20 > cable modem which is connected to your ISP. Your outside NIC=20 > needs DHCP to get ip and dns info from your ISP. NOW YOU SAY=20 > dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct. >=20 > Verify you have correct interface name coded in ipfw rules=20 > for NIC connected to cable modem and that the same NIC=20 > interface name is the one in rc.conf with DHCP option. When=20 > DHCP gets DNS info from ISP /etc/resolv.conf will auto=20 > updated with correct info. Read comments in sample firewall=20 > source and follow what comments say. You are making this=20 > harder than it really is. >=20 > Also there is no setup option on UDP packets just keepstate >=20 > Post full contents of your current dmesg.boot, rc.conf, ipfw=20 > rule set, and ipfw log files so people can see just want you=20 > have configured. And answer question of how you are=20 > assigning ip address to LAN PCs? Also post output of ifconfig=20 > -a command after boot completes. >=20 >=20 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of=20 > James A. Coulter > Sent: Saturday, July 31, 2004 9:55 AM > To: freebsd-questions@freebsd.org > Cc: Barbish3@adelphia.net > Subject: RE: Firewall Rule Set not allowing access to DNS servers? >=20 > Thanks for the response. . . >=20 > I changed rule 00005 from x10 to dc0 - thanks >=20 > Not sure why I would want my inside nic requesting DHCP=20 > service from my ISP. It has been working fine in the=20 > configuration I have it so I've left it the way it is. >=20 > I checked the security log, and found this: >=20 > Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP=20 > 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30=20 > 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067=20 > 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw:=20 > 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1 >=20 > These are the three name servers specified in the rule set >=20 > I checked the rule set and found this: >=20 > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif=20 > setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53=20 > out via $pif setup keep-state $cmd 022 $skip tcp from any to=20 > 68.10.16.30 53 out via $pif setup keep-state >=20 > Because security said the firewall was denying UDP packets, I=20 > changed the rules to this: >=20 > $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif=20 > setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53=20 > out via $pif setup keep-state $cmd 022 $skip udp from any to=20 > 68.10.16.30 53 out via $pif setup keep-state >=20 > But that hasn't helped. I'm still getting: >=20 > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP=20 > 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31=20 > 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476=20 > 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw:=20 > 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1 >=20 > FWIW, these rules are skipping to: >=20 > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out via $pif > $cmd 801 allow ip from any to any >=20 > I apologize for being such a bother and I do appreciate any=20 > help or suggestions. >=20 > TIA >=20 > Jim C. >=20 >=20 >=20 > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of JJB > > Sent: Friday, July 30, 2004 1:20 PM > > To: James A. Coulter; freebsd-questions@freebsd.org > > Subject: RE: Firewall Rule Set not allowing access to DNS servers? > > > > > > Change this ipfw rule from > > > > 00005 allow ip from any to any via xl0 > > > > To > > 00005 allow ip from any to any via dc0 > > > > because dc0 is the lan interface name and not xl0. > > > > > > Change these statement in rc.conf because you have interface name=20 > > backwards. Dc1 is the NIC connected to your cable modem and=20 > you want=20 > > to get DHCP info from your ISP. Dc0 is the NIC connected to=20 > your LAN. > > > > From > > ifconfig_dc1=3D"DHCP" > > ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0" > > > > to > > ifconfig_dc0=3D"DHCP" > > ifconfig_dc1=3D"inet 192.168.1.1 netmask 255.255.255.0" > > > > > > You do not say how your LAN PCs get their ip address. > > You can hard code them on each LAN PC > > or you have to run isc-dhcp-server on your Gateway box to=20 > auto assign=20 > > ip address to LAN PCs. > > > > > > > > > > > > > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of James A.=20 > > Coulter > > Sent: Friday, July 30, 2004 10:56 AM > > To: freebsd-questions@freebsd.org > > Subject: Firewall Rule Set not allowing access to DNS servers? > > > > I am using FreeBSD 4.10 as a gateway/router for a small=20 > home LAN. My=20 > > outside interface (dc1) is connected to a cable modem and is=20 > > configured for DHCP. > > > > I have compiled and installed a custome kernel with IPFIREWALL and=20 > > IPDIVERT options and with a rule set allowing any to any with no=20 > > problems > > > > I am in the process of adding a proper rule set to provide=20 > security. I=20 > > was referred to=20 > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and > > installed the Stateful + NATD Rule Set modified for my > > outside interface, domain name servers, and DHCP server. > > > > I can ping IP addresses and pass SMTP mail back and forth from the=20 > > gateway/router and all machines on the LAN, but I cannot=20 > ping URLs - I=20 > > am getting "ping: cannot resolve > > www.freebsd.org: Host name lookup failure" errors. > > > > > > This is what ipfw -a list looks like: > > > > sara# ipfw -a list > > 00005 0 0 allow ip from any to any via xl0 > > 00010 52 3640 allow ip from any to any via lo0 > > 00014 0 0 divert 8668 ip from any to any in recv dc1 > > 00015 0 0 check-state > > 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 > > keep-state out > > xmit dc1 setup > > 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 > keep-state > > out xmit > > dc1 setup > > 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 > keep-state > > out > > xmit dc1 setup > > 00030 0 0 skipto 800 udp from any to 172.19.17.22 67 > > keep-state out > > xmit dc1 > > 00040 0 0 skipto 800 tcp from any to any 80 keep-state out > > xmit dc1 > > setup > > 00050 0 0 skipto 800 tcp from any to any 443 keep-state out > > xmit dc1 > > setup > > 00060 0 0 skipto 800 tcp from any to any 25 keep-state out > > xmit dc1 > > setup > > 00061 0 0 skipto 800 tcp from any to any 110 keep-state out > > xmit dc1 > > setup > > 00070 0 0 skipto 800 tcp from me to any uid root keep-state > > out xmit > > dc1 setup > > 00080 0 0 skipto 800 icmp from any to any keep-state out > xmit > > dc1 > > 00090 0 0 skipto 800 tcp from any to any 37 keep-state out > > xmit dc1 > > setup > > 00100 0 0 skipto 800 tcp from any to any 119 keep-state out > > xmit dc1 > > setup > > 00110 0 0 skipto 800 tcp from any to any 22 keep-state out > > xmit dc1 > > setup > > 00120 0 0 skipto 800 tcp from any to any 43 keep-state out > > xmit dc1 > > setup > > 00130 0 0 skipto 800 udp from any to any 123 keep-state out > > xmit dc1 > > 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1 > > 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1 > > 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1 > > 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1 > > 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1 > > 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1 > > 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1 > > 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1 > > 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1 > > 00315 0 0 deny tcp from any to any 113 in recv dc1 > > 00320 0 0 deny tcp from any to any 137 in recv dc1 > > 00321 0 0 deny tcp from any to any 138 in recv dc1 > > 00322 0 0 deny tcp from any to any 139 in recv dc1 > > 00323 0 0 deny tcp from any to any 81 in recv dc1 > > 00330 0 0 deny ip from any to any in recv dc1 frag > > 00332 0 0 deny tcp from any to any in recv dc1 established > > 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state > in > > recv dc1 > > 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in > recv > > dc1 > > setup > > 00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in > > recv dc1 > > setup > > 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in > recv > > dc1 > > setup > > 00400 0 0 deny log logamount 10 ip from any to any in recv > dc1 > > 00450 81 5288 deny log logamount 10 ip from any to any out xmit > dc1 > > 00800 0 0 divert 8668 ip from any to any out xmit dc1 > > 00801 645 59255 allow ip from any to any > > 00999 0 0 deny log logamount 10 ip from any to any > > 65535 1 347 deny ip from any to any > > This is what my /etc/rc.conf looks like: > > > > hostname=3D"sara.mshome.net" > > ifconfig_dc1=3D"DHCP" > > ifconfig_dc0=3D"inet 192.168.1.1 netmask 255.255.255.0"=20 > > firewall_enable=3D"YES" firewall_script=3D"/etc/ipfw.rules"=20 > > firewall_logging=3D"YES" kern_securelevel_enable=3D"NO"=20 > linux_enable=3D"YES"=20 > > moused_enable=3D"YES" named_enable=3D"YES" nfs_client_enable=3D"YES" = > > nfs_reserved_port_only=3D"YES" nfs_server_enable=3D"YES"=20 > > sendmail_enable=3D"YES" sshd_enable=3D"YES" usbd_enable=3D"YES"=20 > > ntpd_enable=3D"YES" inetd_enable=3D"YES" gateway_enable=3D"YES"=20 > > natd_enable=3D"YES" natd_interface=3D"dc1" natd_flags=3D"-dynamic" > > > > Finally, this is what /etc/resolv.conf looks like: > > > > sara# more /etc/resolv.conf > > search pn.at.cox.net > > nameserver 68.105.161.20 > > nameserver 68.1.18.25 > > nameserver 68.10.16.30 > > > > Any ideas? > > > > Thanks, > > > > Jim C. > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list=20 > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to=20 > > "freebsd-questions-unsubscribe@freebsd.org" > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list=20 > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to=20 > > "freebsd-questions-unsubscribe@freebsd.org" > > >=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list=20 > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to=20 > "freebsd-questions-unsubscribe@freebsd.org" >=20 >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000401c47721$07faf590$6e01a8c0>