Firewall Rule Set not allowing access to DNS servers?
James A. Coulter
james.coulter at cox.net
Sat Jul 31 06:54:07 PDT 2004
Thanks for the response. . .
I changed rule 00005 from x10 to dc0 - thanks
Not sure why I would want my inside nic requesting DHCP service from my ISP.
It has been working fine in the configuration I have it so I've left it the
way it is.
I checked the security log, and found this:
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609
68.105.161.20:53 out via dc1
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067
68.1.18.25:53 out via dc1
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773
68.10.16.30:53 out via dc1
These are the three name servers specified in the rule set
I checked the rule set and found this:
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup keep-state
$cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup keep-state
Because security said the firewall was denying UDP packets, I changed the
rules to this:
$cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup keep-state
$cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup keep-state
But that hasn't helped. I'm still getting:
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178
68.105.161.20:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
68.1.18.25:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
68.10.16.30:53 out via dc1
FWIW, these rules are skipping to:
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
I apologize for being such a bother and I do appreciate any help or
suggestions.
TIA
Jim C.
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of JJB
> Sent: Friday, July 30, 2004 1:20 PM
> To: James A. Coulter; freebsd-questions at freebsd.org
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>
>
> Change this ipfw rule from
>
> 00005 allow ip from any to any via xl0
>
> To
> 00005 allow ip from any to any via dc0
>
> because dc0 is the lan interface name and not xl0.
>
>
> Change these statement in rc.conf because you have interface
> name backwards. Dc1 is the NIC connected to your cable modem
> and you want to get DHCP info from your ISP. Dc0 is the NIC
> connected to your LAN.
>
> From
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
>
> to
> ifconfig_dc0="DHCP"
> ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"
>
>
> You do not say how your LAN PCs get their ip address.
> You can hard code them on each LAN PC
> or you have to run isc-dhcp-server on your Gateway box to
> auto assign ip address to LAN PCs.
>
>
>
>
>
>
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> James A. Coulter
> Sent: Friday, July 30, 2004 10:56 AM
> To: freebsd-questions at freebsd.org
> Subject: Firewall Rule Set not allowing access to DNS servers?
>
> I am using FreeBSD 4.10 as a gateway/router for a small home
> LAN. My outside interface (dc1) is connected to a cable modem
> and is configured for DHCP.
>
> I have compiled and installed a custome kernel with
> IPFIREWALL and IPDIVERT options and with a rule set allowing
> any to any with no problems
>
> I am in the process of adding a proper rule set to provide
> security. I was referred to
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and
> installed the Stateful + NATD Rule Set modified for my
> outside interface, domain name servers, and DHCP server.
>
> I can ping IP addresses and pass SMTP mail back and forth
> from the gateway/router and all machines on the LAN, but I
> cannot ping URLs - I am getting "ping: cannot resolve
> www.freebsd.org: Host name lookup failure" errors.
>
>
> This is what ipfw -a list looks like:
>
> sara# ipfw -a list
> 00005 0 0 allow ip from any to any via xl0
> 00010 52 3640 allow ip from any to any via lo0
> 00014 0 0 divert 8668 ip from any to any in recv dc1
> 00015 0 0 check-state
> 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53
> keep-state out
> xmit dc1 setup
> 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state
> out xmit
> dc1 setup
> 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state
> out
> xmit dc1 setup
> 00030 0 0 skipto 800 udp from any to 172.19.17.22 67
> keep-state out
> xmit dc1
> 00040 0 0 skipto 800 tcp from any to any 80 keep-state out
> xmit dc1
> setup
> 00050 0 0 skipto 800 tcp from any to any 443 keep-state out
> xmit dc1
> setup
> 00060 0 0 skipto 800 tcp from any to any 25 keep-state out
> xmit dc1
> setup
> 00061 0 0 skipto 800 tcp from any to any 110 keep-state out
> xmit dc1
> setup
> 00070 0 0 skipto 800 tcp from me to any uid root keep-state
> out xmit
> dc1 setup
> 00080 0 0 skipto 800 icmp from any to any keep-state out xmit
> dc1
> 00090 0 0 skipto 800 tcp from any to any 37 keep-state out
> xmit dc1
> setup
> 00100 0 0 skipto 800 tcp from any to any 119 keep-state out
> xmit dc1
> setup
> 00110 0 0 skipto 800 tcp from any to any 22 keep-state out
> xmit dc1
> setup
> 00120 0 0 skipto 800 tcp from any to any 43 keep-state out
> xmit dc1
> setup
> 00130 0 0 skipto 800 udp from any to any 123 keep-state out
> xmit dc1
> 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1
> 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1
> 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1
> 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1
> 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1
> 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1
> 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1
> 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1
> 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1
> 00315 0 0 deny tcp from any to any 113 in recv dc1
> 00320 0 0 deny tcp from any to any 137 in recv dc1
> 00321 0 0 deny tcp from any to any 138 in recv dc1
> 00322 0 0 deny tcp from any to any 139 in recv dc1
> 00323 0 0 deny tcp from any to any 81 in recv dc1
> 00330 0 0 deny ip from any to any in recv dc1 frag
> 00332 0 0 deny tcp from any to any in recv dc1 established
> 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state in
> recv dc1
> 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in recv
> dc1
> setup
> 00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in
> recv dc1
> setup
> 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in recv
> dc1
> setup
> 00400 0 0 deny log logamount 10 ip from any to any in recv dc1
> 00450 81 5288 deny log logamount 10 ip from any to any out xmit dc1
> 00800 0 0 divert 8668 ip from any to any out xmit dc1
> 00801 645 59255 allow ip from any to any
> 00999 0 0 deny log logamount 10 ip from any to any
> 65535 1 347 deny ip from any to any
> This is what my /etc/rc.conf looks like:
>
> hostname="sara.mshome.net"
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> firewall_enable="YES" firewall_script="/etc/ipfw.rules"
> firewall_logging="YES" kern_securelevel_enable="NO"
> linux_enable="YES" moused_enable="YES" named_enable="YES"
> nfs_client_enable="YES" nfs_reserved_port_only="YES"
> nfs_server_enable="YES" sendmail_enable="YES"
> sshd_enable="YES" usbd_enable="YES" ntpd_enable="YES"
> inetd_enable="YES" gateway_enable="YES" natd_enable="YES"
> natd_interface="dc1" natd_flags="-dynamic"
>
> Finally, this is what /etc/resolv.conf looks like:
>
> sara# more /etc/resolv.conf
> search pn.at.cox.net
> nameserver 68.105.161.20
> nameserver 68.1.18.25
> nameserver 68.10.16.30
>
> Any ideas?
>
> Thanks,
>
> Jim C.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list