allowing LAN the direct access to outside DNS with ipfw
Barney Wolff
barney at databus.com
Tue Jul 13 09:07:31 PDT 2004
On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote:
>
> I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
> the Internet from behind the firewall (FreeBSD-stable).
>
> There is a rule there:
> # Allow DNS queries out in the world
> ${fwcmd} add pass udp from any to any 53 keep-state
>
> and, indeed, the firewall machine itself has no problems accessing the outside
> name servers.
>
> However, when the LAN-machine(s) try it, the queries time out, while the
> firewall machine logs the following:
>
> ipfw: 3400 Deny UDP name.ser.ver.ip:53 192.168.1.3:1332 in via de0
>
> All HOWTOs out there imply running a local nameserver on the firewall
> machine. Is there a way to go without that, but also without opening the
> firewall up to _all_ UDP packets, which happen to originate from port
> 53?
>
> What's the meaning of the "keep-state" clause in the rule above? I
> thought, it "magically" allows DNS-responses to come back only, but that
> does not work...
Do ipfw show and see if the keep-state rule is ever triggering - perhaps
some rule before it is already allowing the outgoing packets.
--
Barney Wolff http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
More information about the freebsd-questions
mailing list