ipfw keep-state (ASAP anwser need)
Rob
listone at deathbeforedecaf.net
Tue Dec 9 01:58:03 PST 2003
I would suggest
ipfw add 4100 allow udp from me to any 53 keep-state
ipfw add 4200 allow udp from any to me 53 keep-state
which allows either side to initiate the connection. You will also need TCP
versions of these rules (DNS uses both).
If you use ipfw2, which is the default in 5.x, you can combine them into the
same rule like so:
ipfw add 4100 allow ( tcp or udp ) from me to any 53 keep-state
ipfw add 4200 allow ( tcp or udp ) from any to me 53 keep-state
What does /var/log/security show?
----- Original Message -----
From: "Gregory Edigarov" <greg at profi.kharkov.ua>
Subject: ipfw keep-state (ASAP anwser need)
> Hello,
>
> The folowing is a fragment of my rc.firewall which must allow all
> traffic in and out of my named.
>
> ----
> ipfw add 4100 allow udp from me to any 53 keep-state
> ipfw add 4200 allow udp from any to me 53
> ipfw add 4300 allow udp from me 53 to any
> ---
> This is a fragment from my kernel configuration:
> ---
> options IPFIREWALL #firewall
> options IPFIREWALL_VERBOSE #enable logging to
> syslogd(8)
> options IPFIREWALL_FORWARD #enable transparent proxy
> support
> options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
> options IPDIVERT #divert sockets
> options IPSTEALTH
> options ICMP_BANDLIM
> options DUMMYNET
> options BRIDGE
> options IPFW2
> ---
> It doesn't work. What am I missing?
>
> --
> With best regards,
> Gregory Edigarov
> --------------------------------------------------------------------------
----
> profi.kharkov.ua Systems
Administrator
> --------------------------------------------------------------------------
----
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list