Firewall Rule Set not allowing access to DNS servers?
Giorgos Keramidas
keramida at ceid.upatras.gr
Sat Jul 31 15:43:57 PDT 2004
[-- Message reformatted to fix Outlook format --]
On 2004-07-31 14:17, JJB <Barbish3 at adelphia.net> wrote:
>Giorgos Keramidas wrote on July 31, 2004 1:36 PM
>>On 2004-07-31 12:08, "James A. Coulter" <james.coulter at cox.net wrote:
>>> My LAN is configured with static IP addresses, 192.168.1.x.
>>>
>>> I have no problems communicating within the LAN.
>>>
>>> I have full connectivity with the internet from every machine on
>>> my LAN when the firewall is open.
>>>
>>> When I use the rule set in question, I can ping and send mail but
>>> I cannot access the DNS servers listed in resolv.conf.
>>
>> There are many ways in which your ruleset might break. Two of the
>> most important comments I wanted to make when I first saw the posts
>> of this thread are: [...]
>>
>> b) Why do you use so many rules that 'filter' outgoing traffic?
>>
>> I saw smtp, pop3, time, http, https and many others. You
>> don't need to explicitly allow outgoing connections unless
>> the users in the internal LAN are not to be trusted at all
>> and even then IPFW is most of the time not the right way to
>> do it.
>
> If you had read the start of the thread you would have read the new
> handbook firewall section rewrite which explains in detail why there
> are rules to control access to the public internet from LAN users.
I've read a very detailed guide that you wrote, linked by one of your
posts and available online at:
http://freebsd.a1poweruser.com:6088/FBSD_firewall/
This guide contains a great deal of useful information and it would be
cool if it was somehow incorporated to the Handbook. It's not yet, but
I like most of the text so I hope it gets converted to SGML and added to
the Handbook either in parts or as a whole.
If by "... which explains in detail why..." you refer to this particular
quote from that document, I'm not sure that it is always a good idea but
that's my own opinion:
"The Outbound section in the following rule set only contains `pass'
rules which contain selection values that uniquely identify the
service that is authorized for public internet access."
In a corporate environment, where access to the Internet has to be
limited and/or controlled in a more or less strict manner, it looks like
a great idea.
At home, where a couple of machines share a single Internet connection
through a dialup or DSL line, this might be a bit too limiting ;-)
- Giorgos
More information about the freebsd-questions
mailing list