modifying ipfw rules to accompany dnscache install
    Giorgos Keramidas 
    keramida at ceid.upatras.gr
       
    Thu May  1 06:34:22 PDT 2003
    
    
  
On 2003-04-27 08:59, Joe Sotham wrote:
> My firewall starts with the everything denied principle. I was using
> the following rules to allow udp packets to/fro my private netwo:
> dns1 and dns2 are my service provider's nameserver ip addresses.
>
> <snip>
> ${fwcmd} add 400 pass udp from any to ${dns1} 53
> ${fwcmd} add 400 pass udp from any to ${dns2} 53
> ${fwcmd} add 400 pass udp from ${dns1} 53 to any
> ${fwcmd} add 400 pass udp from ${dns2} 53 to any
> <snip>
>
> After installing dnscache I have had to open the ruleset up a little.
> I am wondering if the following rule can be tightened up a little.
>
> ${fwcmd} add 400 pass udp from any to any 53 keep-state
It should work fine...  My local ipfw ruleset here used to include:
    # Allow DNS and NTP through.
    add allow udp from any to any 53,123 keep-state out
I'm using ipfilter now, so I haven't run any recent tests with this
ruleset, but the rule shown above used to work great.
- Giorgos
    
    
More information about the freebsd-questions
mailing list