Firewall Rule Set not allowing access to DNS servers?

James A. Coulter james.coulter at cox.net
Sat Jul 31 06:54:07 PDT 2004 

Thanks for the response. . .

I changed rule 00005 from x10 to dc0 - thanks

Not sure why I would want my inside nic requesting DHCP service from my ISP.
It has been working fine in the configuration I have it so I've left it the
way it is.

I checked the security log, and found this:

Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609
68.105.161.20:53 out via dc1
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067
68.1.18.25:53 out via dc1
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773
68.10.16.30:53 out via dc1

These are the three name servers specified in the rule set

I checked the rule set and found this:

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state
$cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state

Because security said the firewall was denying UDP packets, I changed the
rules to this:

$cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state
$cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state

But that hasn't helped.  I'm still getting:

Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178
68.105.161.20:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
68.1.18.25:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
68.10.16.30:53 out via dc1

FWIW, these rules are skipping to:

# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

I apologize for being such a bother and I do appreciate any help or
suggestions.

TIA

Jim C.
 


> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org 
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of JJB
> Sent: Friday, July 30, 2004 1:20 PM
> To: James A. Coulter; freebsd-questions at freebsd.org
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
> 
> 
> Change this ipfw rule from
> 
> 00005   allow ip from any to any via xl0
> 
> To
> 00005   allow ip from any to any via dc0
> 
> because dc0 is the lan interface name and not xl0.
> 
> 
> Change these statement in rc.conf because you have interface 
> name backwards. Dc1 is the NIC connected to your cable modem 
> and you want to get DHCP info from your ISP. Dc0 is the NIC 
> connected to your LAN.
> 
> From
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> 
> to
> ifconfig_dc0="DHCP"
> ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"
> 
> 
> You do not say how your LAN PCs get their ip address.
> You can hard code them on each LAN PC
> or you have to run isc-dhcp-server on your Gateway box to 
> auto assign ip address to LAN PCs.
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of 
> James A. Coulter
> Sent: Friday, July 30, 2004 10:56 AM
> To: freebsd-questions at freebsd.org
> Subject: Firewall Rule Set not allowing access to DNS servers?
> 
> I am using FreeBSD 4.10 as a gateway/router for a small home 
> LAN. My outside interface (dc1) is connected to a cable modem 
> and is configured for DHCP.
> 
> I have compiled and installed a custome kernel with 
> IPFIREWALL and IPDIVERT options and with a rule set allowing 
> any to any with no problems
> 
> I am in the process of adding a proper rule set to provide 
> security. I was referred to 
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and 
> installed the Stateful + NATD Rule Set modified for my 
> outside interface, domain name servers, and DHCP server.
> 
> I can ping IP addresses and pass SMTP mail back and forth 
> from the gateway/router and all machines on the LAN, but I 
> cannot ping URLs - I am getting "ping: cannot resolve 
> www.freebsd.org: Host name lookup failure" errors.
> 
> 
> This is what ipfw -a list looks like:
> 
> sara# ipfw -a list
> 00005   0     0 allow ip from any to any via xl0
> 00010  52  3640 allow ip from any to any via lo0
> 00014   0     0 divert 8668 ip from any to any in recv dc1
> 00015   0     0 check-state
> 00020   0     0 skipto 800 tcp from any to 68.105.161.20 53
> keep-state out
> xmit dc1 setup
> 00021   0     0 skipto 800 tcp from any to 68.1.18.25 53 keep-state
> out xmit
> dc1 setup
> 00022   0     0 skipto 800 tcp from any to 68.10.16.30 53 keep-state
> out
> xmit dc1 setup
> 00030   0     0 skipto 800 udp from any to 172.19.17.22 67
> keep-state out
> xmit dc1
> 00040   0     0 skipto 800 tcp from any to any 80 keep-state out
> xmit dc1
> setup
> 00050   0     0 skipto 800 tcp from any to any 443 keep-state out
> xmit dc1
> setup
> 00060   0     0 skipto 800 tcp from any to any 25 keep-state out
> xmit dc1
> setup
> 00061   0     0 skipto 800 tcp from any to any 110 keep-state out
> xmit dc1
> setup
> 00070   0     0 skipto 800 tcp from me to any uid root keep-state
> out xmit
> dc1 setup
> 00080   0     0 skipto 800 icmp from any to any keep-state out xmit
> dc1
> 00090   0     0 skipto 800 tcp from any to any 37 keep-state out
> xmit dc1
> setup
> 00100   0     0 skipto 800 tcp from any to any 119 keep-state out
> xmit dc1
> setup
> 00110   0     0 skipto 800 tcp from any to any 22 keep-state out
> xmit dc1
> setup
> 00120   0     0 skipto 800 tcp from any to any 43 keep-state out
> xmit dc1
> setup
> 00130   0     0 skipto 800 udp from any to any 123 keep-state out
> xmit dc1
> 00300   0     0 deny ip from 192.168.0.0/16 to any in recv dc1
> 00301   0     0 deny ip from 172.16.0.0/12 to any in recv dc1
> 00302   0     0 deny ip from 10.0.0.0/8 to any in recv dc1
> 00303   0     0 deny ip from 127.0.0.0/8 to any in recv dc1
> 00304   0     0 deny ip from 0.0.0.0/8 to any in recv dc1
> 00305   0     0 deny ip from 169.254.0.0/16 to any in recv dc1
> 00306   0     0 deny ip from 192.0.2.0/24 to any in recv dc1
> 00307   0     0 deny ip from 204.152.64.0/23 to any in recv dc1
> 00308   0     0 deny ip from 224.0.0.0/3 to any in recv dc1
> 00315   0     0 deny tcp from any to any 113 in recv dc1
> 00320   0     0 deny tcp from any to any 137 in recv dc1
> 00321   0     0 deny tcp from any to any 138 in recv dc1
> 00322   0     0 deny tcp from any to any 139 in recv dc1
> 00323   0     0 deny tcp from any to any 81 in recv dc1
> 00330   0     0 deny ip from any to any in recv dc1 frag
> 00332   0     0 deny tcp from any to any in recv dc1 established
> 00360   0     0 allow udp from 172.19.17.22 to any 68 keep-state in
> recv dc1
> 00370   0     0 allow tcp from any to me 80 limit src-addr 2 in recv
> dc1
> setup
> 00370   0     0 allow tcp from any to me 8888 limit src-addr 2 in
> recv dc1
> setup
> 00380   0     0 allow tcp from any to me 22 limit src-addr 2 in recv
> dc1
> setup
> 00400   0     0 deny log logamount 10 ip from any to any in recv dc1
> 00450  81  5288 deny log logamount 10 ip from any to any out xmit dc1
> 00800   0     0 divert 8668 ip from any to any out xmit dc1
> 00801 645 59255 allow ip from any to any
> 00999   0     0 deny log logamount 10 ip from any to any
> 65535   1   347 deny ip from any to any
> This is what my /etc/rc.conf looks like:
> 
> hostname="sara.mshome.net"
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0" 
> firewall_enable="YES" firewall_script="/etc/ipfw.rules" 
> firewall_logging="YES" kern_securelevel_enable="NO" 
> linux_enable="YES" moused_enable="YES" named_enable="YES" 
> nfs_client_enable="YES" nfs_reserved_port_only="YES" 
> nfs_server_enable="YES" sendmail_enable="YES" 
> sshd_enable="YES" usbd_enable="YES" ntpd_enable="YES" 
> inetd_enable="YES" gateway_enable="YES" natd_enable="YES" 
> natd_interface="dc1" natd_flags="-dynamic"
> 
> Finally, this is what /etc/resolv.conf looks like:
> 
> sara# more /etc/resolv.conf
> search pn.at.cox.net
> nameserver 68.105.161.20
> nameserver 68.1.18.25
> nameserver 68.10.16.30
> 
> Any ideas?
> 
> Thanks,
> 
> Jim C.
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list