Date: Wed, 20 Oct 1999 10:47:49 +0300 From: Ruslan Ermilov <ru@ucb.crimea.ua> To: matt <matt@BabCom.ORG> Cc: FreeBSD-STABLE <stable@FreeBSD.ORG> Subject: Re: ipfw rule wrong in rc.firewall(?) Message-ID: <19991020104749.B17206@relay.ucb.crimea.ua> In-Reply-To: <Pine.BSF.4.20.9910192103180.8578-100000@s01.arpa-canada.net>; from matt on Tue, Oct 19, 1999 at 09:11:33PM -0400 References: <Pine.BSF.4.20.9910192103180.8578-100000@s01.arpa-canada.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 19, 1999 at 09:11:33PM -0400, matt wrote:
>
> Hello,
>
> I don't know if this is what I think it is, but it sure took me
> back a little bit. Please note that I may be totally wrong, but here is
> what I expierenced on *MY* two FreeBSD 3.3-STABLE machines:
>
> IPFW rules for DNS udp like this:
>
> ipfw -q add allow udp from any 53 to 209.104.122.0/24
> ..... much later on .....
> ipfw -q add deny udp from any to 209.104.122.0/24
>
> now this udp allow for dns comes straight from /usr/src/etc/rc.firewall.
> <--- quote
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${ip}
> $fwcmd add pass udp from ${ip} to any 53
> end quote --->
>
You took these rules from the wrong place, they belong to the `client'
section, while you are talking about the server side.
> This, totally broke anyone else being able to lookup domains served by my
> namservers, a thought meant doing this;
>
> ipfw -q add allow udp from any to 209.104.122.0/24 53
>
> Which worked perfectly fine. I have not taken the time to dig into the
> problem, I haven't slept, and am quite too tired to do this tonight. I
> am reporting what I saw on my machine with the example not working. This
> is probably just a matter of updating the example rc.firewall? I'll leave
> it to the big boys to decide. Thanks.
>
Yes, src/etc/rc.firewall is incomplete, it misses two rules for incoming
UDP queries.
# Allow access to our DNS
allow tcp from any to ${oip} 53 setup # zone transfers
allow udp from any to ${oip} 53 # incoming DNS queries (missing)
allow udp from ${oip} 53 to any # answers to these queries (missing)
# Allow DNS queries out in the world
allow udp from ${oip} to any 53 # outgoing DNS queries
allow udp from any 53 to ${oip} # answers to these queries
--
Ruslan Ermilov Sysadmin and DBA of the
ru@ucb.crimea.ua United Commercial Bank,
ru@FreeBSD.org FreeBSD committer,
+380.652.247.647 Simferopol, Ukraine
http://www.FreeBSD.org The Power To Serve
http://www.oracle.com Enabling The Information Age
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991020104749.B17206>