allowing LAN the direct access to outside DNS with ipfw
Mikhail Teterin
mi+mx at aldan.algebra.com
Tue Jul 13 08:55:49 PDT 2004
Hello!
I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
the Internet from behind the firewall (FreeBSD-stable).
There is a rule there:
# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state
and, indeed, the firewall machine itself has no problems accessing the outside
name servers.
However, when the LAN-machine(s) try it, the queries time out, while the
firewall machine logs the following:
ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0
All HOWTOs out there imply running a local nameserver on the firewall
machine. Is there a way to go without that, but also without opening the
firewall up to _all_ UDP packets, which happen to originate from port
53?
What's the meaning of the "keep-state" clause in the rule above? I
thought, it "magically" allows DNS-responses to come back only, but that
does not work...
Thank you!
-mi
More information about the freebsd-net
mailing list