Error in Handbook

Giorgos Keramidas keramida at ceid.upatras.gr
Thu Feb 3 03:30:31 UTC 2005


On 2005-02-02 14:11, Graham Dresch <gdresch at spcint.com> wrote:
>
> In Chapter 24 Firewalls:
> Section 24.6.5.7:
> Example ruleset #2:
>
> $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
>                ^^^                                     ^^^^^
>
> DNS uses UDP, setup is inapplicable to UDP

Actually, DNS uses both UDP and TCP.  The size of a DNS UDP packet has
an upper limit.  If the data that needs to be transferred exceeds that
limit, TCP is used.

> The line should read:
>
> $cmd 020 $skip udp from any to x.x.x.x 53 out via $pif keep-state

It should probably remain as it is, and a TCP-specific line should be
added.  Ruleset #2 is supposed to be identical to ruleset #1, which
includes these rules:

    $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
    $cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

- Giorgos



More information about the freebsd-doc mailing list