named error sending response: permision denied
Stephane Raimbault
stephane at enertiasoft.com
Tue May 24 18:26:10 GMT 2005
On 24-May-05, at 12:09 PM, Charles Swiger wrote:
> On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote:
>
>> Thank you for your suggestions... I think it helped me solve the
>> problem. It seems I needed to add more rules... although they
>> seem redundant to me, but they have clearly made an improvement
>> and I'm no longer getting those dns related errors in ipfw.log and
>> in /var/log/messages.
>>
>
> I hate to ask something silly, but you do have a check-state rule
> somewhere, right?
>
it's not silly..., what's silly is now I'm asking how would I
check :) or what would the rule look like.
> The rules you've added permit traffic in both directions, which
> shouldn't be needed unless the stateful matching wasn't working
> right. Anyway, you don't need to use stateful rules if you permit
> traffic in both ways, but the possible tradeoff is making the
> systems more accessible to scanning and some DoS attacks using
> forged traffic.
>
> Not using keep-state with UDP is quite reasonable, but you might
> consider adding a "keep-state" with your TCP rules for port 53.
> You should also be aware that your nameservers will want to make
> outbound connections using TCP themselves sometimes....
>
you've actually kinda answered the other question I neglected to
ask... which is, would I really need the keep-state, since it seemed
to work without it being there when I did my testing earlier today.
Regarding adding keep-state to my tcp rule... would this not do the
same thing... ? am I confused... or is it just insecure of doing it
this way:
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
Thanks,
Stephane.
> --
> -Chuck
>
>
More information about the freebsd-ipfw
mailing list