Firewall Rule Set not allowing access to DNS servers?

JJB Barbish3 at adelphia.net
Fri Jul 30 11:20:37 PDT 2004 

Change this ipfw rule from

00005   allow ip from any to any via xl0

To
00005   allow ip from any to any via dc0

because dc0 is the lan interface name and not xl0.


Change these statement in rc.conf because you have interface name
backwards.
Dc1 is the NIC connected to your cable modem and you want to get
DHCP info from your ISP.
Dc0 is the NIC connected to your LAN.

From
ifconfig_dc1="DHCP"
ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"

to
ifconfig_dc0="DHCP"
ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"


You do not say how your LAN PCs get their ip address.
You can hard code them on each LAN PC
or you have to run isc-dhcp-server on your Gateway box to auto
assign ip address to LAN PCs.







-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of James A.
Coulter
Sent: Friday, July 30, 2004 10:56 AM
To: freebsd-questions at freebsd.org
Subject: Firewall Rule Set not allowing access to DNS servers?

I am using FreeBSD 4.10 as a gateway/router for a small home LAN.
My
outside interface (dc1) is connected to a cable modem and is
configured for
DHCP.

I have compiled and installed a custome kernel with IPFIREWALL and
IPDIVERT
options and with a rule set allowing any to any with no problems

I am in the process of adding a proper rule set to provide security.
I was
referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and
installed
the Stateful + NATD Rule Set modified for my outside interface,
domain name
servers, and DHCP server.

I can ping IP addresses and pass SMTP mail back and forth from the
gateway/router and all machines on the LAN, but I cannot ping URLs -
I am
getting "ping: cannot resolve www.freebsd.org: Host name lookup
failure"
errors.


This is what ipfw -a list looks like:

sara# ipfw -a list
00005   0     0 allow ip from any to any via xl0
00010  52  3640 allow ip from any to any via lo0
00014   0     0 divert 8668 ip from any to any in recv dc1
00015   0     0 check-state
00020   0     0 skipto 800 tcp from any to 68.105.161.20 53
keep-state out
xmit dc1 setup
00021   0     0 skipto 800 tcp from any to 68.1.18.25 53 keep-state
out xmit
dc1 setup
00022   0     0 skipto 800 tcp from any to 68.10.16.30 53 keep-state
out
xmit dc1 setup
00030   0     0 skipto 800 udp from any to 172.19.17.22 67
keep-state out
xmit dc1
00040   0     0 skipto 800 tcp from any to any 80 keep-state out
xmit dc1
setup
00050   0     0 skipto 800 tcp from any to any 443 keep-state out
xmit dc1
setup
00060   0     0 skipto 800 tcp from any to any 25 keep-state out
xmit dc1
setup
00061   0     0 skipto 800 tcp from any to any 110 keep-state out
xmit dc1
setup
00070   0     0 skipto 800 tcp from me to any uid root keep-state
out xmit
dc1 setup
00080   0     0 skipto 800 icmp from any to any keep-state out xmit
dc1
00090   0     0 skipto 800 tcp from any to any 37 keep-state out
xmit dc1
setup
00100   0     0 skipto 800 tcp from any to any 119 keep-state out
xmit dc1
setup
00110   0     0 skipto 800 tcp from any to any 22 keep-state out
xmit dc1
setup
00120   0     0 skipto 800 tcp from any to any 43 keep-state out
xmit dc1
setup
00130   0     0 skipto 800 udp from any to any 123 keep-state out
xmit dc1
00300   0     0 deny ip from 192.168.0.0/16 to any in recv dc1
00301   0     0 deny ip from 172.16.0.0/12 to any in recv dc1
00302   0     0 deny ip from 10.0.0.0/8 to any in recv dc1
00303   0     0 deny ip from 127.0.0.0/8 to any in recv dc1
00304   0     0 deny ip from 0.0.0.0/8 to any in recv dc1
00305   0     0 deny ip from 169.254.0.0/16 to any in recv dc1
00306   0     0 deny ip from 192.0.2.0/24 to any in recv dc1
00307   0     0 deny ip from 204.152.64.0/23 to any in recv dc1
00308   0     0 deny ip from 224.0.0.0/3 to any in recv dc1
00315   0     0 deny tcp from any to any 113 in recv dc1
00320   0     0 deny tcp from any to any 137 in recv dc1
00321   0     0 deny tcp from any to any 138 in recv dc1
00322   0     0 deny tcp from any to any 139 in recv dc1
00323   0     0 deny tcp from any to any 81 in recv dc1
00330   0     0 deny ip from any to any in recv dc1 frag
00332   0     0 deny tcp from any to any in recv dc1 established
00360   0     0 allow udp from 172.19.17.22 to any 68 keep-state in
recv dc1
00370   0     0 allow tcp from any to me 80 limit src-addr 2 in recv
dc1
setup
00370   0     0 allow tcp from any to me 8888 limit src-addr 2 in
recv dc1
setup
00380   0     0 allow tcp from any to me 22 limit src-addr 2 in recv
dc1
setup
00400   0     0 deny log logamount 10 ip from any to any in recv dc1
00450  81  5288 deny log logamount 10 ip from any to any out xmit
dc1
00800   0     0 divert 8668 ip from any to any out xmit dc1
00801 645 59255 allow ip from any to any
00999   0     0 deny log logamount 10 ip from any to any
65535   1   347 deny ip from any to any
This is what my /etc/rc.conf looks like:

hostname="sara.mshome.net"
ifconfig_dc1="DHCP"
ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="YES"
named_enable="YES"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
ntpd_enable="YES"
inetd_enable="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="dc1"
natd_flags="-dynamic"

Finally, this is what /etc/resolv.conf looks like:

sara# more /etc/resolv.conf
search pn.at.cox.net
nameserver 68.105.161.20
nameserver 68.1.18.25
nameserver 68.10.16.30

Any ideas?

Thanks,

Jim C.

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list