Date: Thu, 20 Dec 2001 15:06:36 -0600 From: Eric_Stanfield@kenokozie.com To: "Dustin Puryear" <dpuryear@usa.net> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: FreeBSD firewall and DNS Message-ID: <OF51328C04.31DA7769-ON86256B28.0073B1BC@kka.com>
next in thread | raw e-mail | index | archive | help
In all those examples you are allowing queries to be sent TO port 53 of a
dns server, but you are not allowing replies FROM port 53 of the dns
server. Which is why your very last rule is the only one that makes things
work. allow udp from any to 10.0.0.5 is allowing the dns server to reply
form port 53 to your machine at 10.0.0.5.
Also, someone else jump in, since when can you keep-state on udp based
traffic? Maybe I've just forgotten something along the way.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Eric Stanfield, K2Access
Keno Kozie Associates
222 N LaSalle #1500
Chicago, IL 60606
(312) 332-3000
"Dustin Puryear"
<dpuryear@usa.net> To: <freebsd-isp@FreeBSD.ORG>
Sent by: cc:
owner-freebsd-isp@F Subject: FreeBSD firewall and DNS
reeBSD.ORG
12/20/2001 02:54 PM
I am having problems configuring a FreeBSD 4.4-RELEASE firewall to allow a
DNS server to work. When I say "work" I mean it is unable to resolve names.
Instead, it just times out. Please note that we are using static NAT. Also,
the DNS server is NOT located on the firewall. (On a related note, if I run
a DNS server on the firewall it works.) The DNS server does have a public
IP
address via the static NAT mapping, but I would think it should work
regardless. At least, for resolving names.
Okay, so I have a firewall at 10.0.0.1 private a.b.c.d public. Via NAT the
DNS server, which will be for public use, has a private address of 10.0.0.5
and w.x.y.z public. If I install the DNS server on the firewall and use the
rules:
01500 divert 8668 ip from any to any via rl0
...
02600 allow udp from a.b.c.d to any 53 keep-state
02700 allow tcp from a.b.c.d to any 53 keep-state
The DNS server on the firewall works and can resolve names for me. However,
if I put the DNS server on another internal machine and use the rules:
01500 divert 8668 ip from any to any via rl0
...
02800 allow udp from w.x.y.z to any 53 keep-state
02900 allow tcp from w.x.y.z to any 53 keep-state
The internal server times out. Okay, so I am thinking that perhaps since
the
divert rule comes first I should be using the internal address:
01500 divert 8668 ip from any to any via rl0
...
02800 allow udp from 10.0.0.5 to any 53 keep-state
02900 allow tcp from 10.0.0.5 to any 53 keep-state
Unfortunately, I get the same result. The DNS server cannot resolve the
name
and nslookup eventually times out. Now, I can make it work by adding the
rule:
03640 allow udp from any to 10.0.0.5
But why is this necessary? Assuming my DNS server does not need to be
accessible to external users I should just need to allow the server to hit
remote DNS server's and to expect replies via the keep-state. Am I missing
something here?
BTW, I am including my full ruleset below just in case.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 allow ip from any to any via nge0
00500 deny ip from 10.0.0.0/24 to any in recv rl0
00600 deny ip from a.b.c.0/26 to any in recv nge0
00700 deny ip from any to 10.0.0.0/8 via rl0
00800 deny ip from any to 172.16.0.0/12 via rl0
00900 deny ip from any to 192.168.0.0/16 via rl0
01000 deny ip from any to 0.0.0.0/8 via rl0
01100 deny ip from any to 169.254.0.0/16 via rl0
01200 deny ip from any to 192.0.2.0/24 via rl0
01300 deny ip from any to 224.0.0.0/4 via rl0
01400 deny ip from any to 240.0.0.0/4 via rl0
01500 divert 8668 ip from any to any via rl0
01600 deny ip from 10.0.0.0/8 to any via rl0
01700 deny ip from 172.16.0.0/12 to any via rl0
01800 deny ip from 192.168.0.0/16 to any via rl0
01900 deny ip from 0.0.0.0/8 to any via rl0
02000 deny ip from 169.254.0.0/16 to any via rl0
02100 deny ip from 192.0.2.0/24 to any via rl0
02200 deny ip from 224.0.0.0/4 to any via rl0
02300 deny ip from 240.0.0.0/4 to any via rl0
02400 allow tcp from any to any established
02500 allow ip from any to any frag
02600 allow udp from a.b.c.d to any 53 keep-state # for DNS on firewall
02700 allow tcp from a.b.c.d to any 53 keep-state # ""
02800 allow udp from w.x.y.z to any 53 keep-state # for DNS on another box
02900 allow tcp from w.x.y.z to any 53 keep-state # ""
03000 allow tcp from any to 10.0.0.5 25 setup
03100 allow tcp from any to 10.0.0.20 80 via rl0 setup # web
03200 allow tcp from any to 10.0.0.21 80 via rl0 setup # web
03300 allow tcp from any to any 22 setup
03400 allow icmp from any to any keep-state
03500 allow tcp from any to any setup
03640 allow udp from any to 10.0.0.5 # crappy fix to allow DNS to work
03900 deny log logamount 10 tcp from any to any in recv rl0 setup
65535 deny ip from any to any
Regards, Dustin
---
Dustin Puryear <dpuryear@usa.net>
Information Systems Consultant
http://members.telocity.com/~dpuryear
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF51328C04.31DA7769-ON86256B28.0073B1BC>