Firewall Rule Set not allowing access to DNS servers?
James A. Coulter
james.coulter at cox.net
Sat Jul 31 10:07:06 PDT 2004
My LAN is configured with static IP addresses, 192.168.1.x.
I have no problems communicating within the LAN.
I have full connectivity with the internet from every machine on my LAN when
the firewall is open.
When I use the rule set in question, I can ping and send mail but I cannot
access the DNS servers listed in resolv.conf.
These are the same DNS servers placed in resolv.conf when the firewall is
open.
I'm sorry, but I never said dc1 was my inside nic.
Again, I appreciate any help with this. The files you requested follow.
Here's my ifconfig - a:
sara# ifconfig -a
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1
ether 00:04:5a:76:55:f0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2
inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255
ether 00:a0:cc:33:e1:f6
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
Here's resolv.conf:
sara# more /etc/resolv.conf
search pn.at.cox.net
nameserver 68.105.161.20
nameserver 68.1.18.25
nameserver 68.10.16.30
Here's the entire rule set I'm trying to use.
I did follow the comments.
Please note the variable pif is set to dc1, my outside nic.
################ Start of IPFW rules file ###############################
# Flush out the list before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add"
skip="skipto 800"
pif="dc1" # public interface name of Nic card
# facing the public internet
#################################################################
# No restrictions on Inside Lan Interface for private network
# Change xl0 to your Lan Nic card interface name
#################################################################
$cmd 005 allow all from any to any via dc0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public internet.
#################################################################
# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip UDP from any to 68.1.18.25 53 out via $pif setup keep-state
$cmd 022 $skip UDP from any to 68.10.16.30 53 out via $pif setup keep-state
# Allow out access to my ISP's DHCP server for cable/DSL configurations.
$cmd 030 $skip udp from any to 172.19.17.22 67 out via $pif keep-state
# Allow out non-secure standard www function
$cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
# Allow out send & get email function
$cmd 060 $skip tcp from any to any 25 out via $pif setup keep-state
$cmd 061 $skip tcp from any to any 110 out via $pif setup keep-state
# Allow out FBSD (make install & CVSUP) functions
# Basically give user root "GOD" privileges.
$cmd 070 $skip tcp from me to any out via $pif setup keep-state uid root
# Allow out ping
$cmd 080 $skip icmp from any to any out via $pif keep-state
# Allow out Time
$cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
# Allow out nntp news (IE: news groups)
$cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
$cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
# Allow out whois
$cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
# Allow ntp time server
$cmd 130 $skip udp from any to any 123 out via $pif keep-state
#################################################################
# Interface facing Public internet (Inbound Section)
# Interrogate packets originating from the public internet
# destine for this gateway server or the private network.
#################################################################
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private
IP
$cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private
IP
$cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private
IP
$cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved for
doc's
$cmd 307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster
$cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D & E
multicast
# Deny ident
$cmd 315 deny tcp from any to any 113 in via $pif
# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 320 deny tcp from any to any 137 in via $pif
$cmd 321 deny tcp from any to any 138 in via $pif
$cmd 322 deny tcp from any to any 139 in via $pif
$cmd 323 deny tcp from any to any 81 in via $pif
# Deny any late arriving packets
$cmd 330 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from 172.19.17.22 to any 68 in via $pif keep-state
# Allow in standard www function because I have apache server
$cmd 370 allow tcp from any to me 80 in via $pif setup limit src-addr 2
$cmd 370 allow tcp from any to me 8888 in via $pif setup limit src-addr 2
# Allow in secure FTP, Telnet, and SCP from public Internet
$cmd 380 allow tcp from any to me 22 in via $pif setup limit src-addr 2
# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
# $cmd 390 allow tcp from any to me 23 in via $pif setup limit src-addr 2
# Reject & Log all unauthorized incoming connections from the public
internet
$cmd 500 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public internet
$cmd 550 deny log all from any to any out via $pif
# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any
# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 999 deny log all from any to any
################ End of IPFW rules file ###############################
Here's all of today's security ouput:
Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1649
193.0.14.129:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671
68.105.161.20:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1042
68.1.18.25:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4365
68.10.16.30:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365
68.105.161.20:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4325
68.1.18.25:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3378
68.10.16.30:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952
68.105.161.20:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1359
68.1.18.25:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4738
68.10.16.30:53 out via dc1
Jul 31 07:50:37 sara /kernel: ipfw: limit 10 reached on entry 550
Jul 31 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860
68.105.58.150:21 in via dc1
Jul 31 07:51:51 sara last message repeated 2 times
Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3875
68.105.58.150:21 in via dc1
Jul 31 07:53:24 sara last message repeated 2 times
Jul 31 07:53:32 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878
68.105.58.150:21 in via dc1
Jul 31 07:53:41 sara last message repeated 2 times
Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3881
68.105.58.150:21 in via dc1
Jul 31 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500
Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.1.18.25:53
192.168.1.102:3232 in via dc1
Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53
192.168.1.102:3232 in via dc1
Jul 31 08:14:33 sara /kernel: ipfw: 65000 Deny UDP 10.2.184.1:67
255.255.255.255:68 in via dc1
Jul 31 08:15:28 sara last message repeated 2 times
Jul 31 08:15:47 sara last message repeated 5 times
Jul 31 08:15:47 sara /kernel: ipfw: limit 10 reached on entry 65000
Jul 31 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534
198.41.0.4:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178
68.105.161.20:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
68.1.18.25:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
68.10.16.30:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4952
68.105.161.20:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2260
68.1.18.25:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087
68.10.16.30:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4914
68.105.161.20:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:1849
68.1.18.25:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220
68.10.16.30:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: limit 10 reached on entry 550
Here's rc.conf again:
# -- sysinstall generated deltas --
# Sun Jul 4 10:40:48 2004
# Created: Sun Jul 4 10:40:48 2004
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname="sara.mshome.net"
ifconfig_dc1="DHCP"
ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
firewall_enable="YES" firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="YES"
named_enable="YES"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
ntpd_enable="YES"
inetd_enable="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="dc1"
natd_flags="-dynamic"
Here's dmesg.boot:
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004
jcoulter at sara.mshome.net:/usr/obj/usr/src/sys/SARA
Timecounter "i8254" frequency 1193182 Hz
CPU: Intel Celeron (634.78-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x686 Stepping = 6
Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,
PAT,PSE36,MMX,FXSR,SSE>
real memory = 134201344 (131056K bytes)
avail memory = 127057920 (124080K bytes)
Preloaded elf kernel "kernel" at 0xc0381000.
Pentium Pro MTRR support enabled
md0: Malloc disk
Using $PIR table, 8 entries at 0xc00f0e80
npx0: <math processor> on motherboard
npx0: INT 16 interface
pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard
pci0: <PCI bus> on pcib0
agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xe4000000-0xe7ffffff
at device 0.0 on pci0
pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pci1: <ATI Mach64-GB graphics accelerator> at 0.0 irq 11
isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 ATA33 controller> port 0xb800-0xb80f at device 4.1 on
pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xb400-0xb41f irq 9 at
device 4.2 on pci0
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
chip0: <Intel 82371AB Power management controller> port 0xe800-0xe80f at
device 4.3 on pci0
dc0: <ADMtek AN985 10/100BaseTX> port 0xb000-0xb0ff mem
0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0
dc0: Ethernet address: 00:04:5a:76:55:f0
miibus0: <MII bus> on dc0
ukphy0: <Generic IEEE 802.3u media interface> on miibus0
ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc1: <LC82C115 PNIC II 10/100BaseTX> port 0xa800-0xa8ff mem
0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0
dc1: Ethernet address: 00:a0:cc:33:e1:f6
miibus1: <MII bus> on dc1
dcphy0: <Intel 21143 NWAY media interface> on miibus1
dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
isa0: too many dependant configs (8)
isa0: unexpected small tag 14
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
pmtimer0 on isa0
fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/9 bytes threshold
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
IP packet filtering initialized, divert enabled, rule-based forwarding
enabled, default to deny, logging limited to 10 packets/entry by default
ad0: DMA limited to UDMA33, non-ATA66 cable or device
ad0: 19623MB <IBM-DTLA-305020> [39870/16/63] at ata0-master UDMA33
acd0: CDROM <SONY CD-ROM CDU4821> at ata0-slave PIO4
Mounting root from ufs:/dev/ad0s1a
Thanks,
Jim C.
> -----Original Message-----
> From: JJB [mailto:Barbish3 at adelphia.net]
> Sent: Saturday, July 31, 2004 10:28 AM
> To: James A. Coulter; freebsd-questions at freebsd.org
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>
>
> You better re-read what you posted in early post. You posted
> that dc1 is your outside NIC, which is connected to your
> cable modem which is connected to your ISP. Your outside NIC
> needs DHCP to get ip and dns info from your ISP. NOW YOU SAY
> dc1 IS INSIDE INTERFACE NAME. Make up your mind which is correct.
>
> Verify you have correct interface name coded in ipfw rules
> for NIC connected to cable modem and that the same NIC
> interface name is the one in rc.conf with DHCP option. When
> DHCP gets DNS info from ISP /etc/resolv.conf will auto
> updated with correct info. Read comments in sample firewall
> source and follow what comments say. You are making this
> harder than it really is.
>
> Also there is no setup option on UDP packets just keepstate
>
> Post full contents of your current dmesg.boot, rc.conf, ipfw
> rule set, and ipfw log files so people can see just want you
> have configured. And answer question of how you are
> assigning ip address to LAN PCs? Also post output of ifconfig
> -a command after boot completes.
>
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> James A. Coulter
> Sent: Saturday, July 31, 2004 9:55 AM
> To: freebsd-questions at freebsd.org
> Cc: Barbish3 at adelphia.net
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>
> Thanks for the response. . .
>
> I changed rule 00005 from x10 to dc0 - thanks
>
> Not sure why I would want my inside nic requesting DHCP
> service from my ISP. It has been working fine in the
> configuration I have it so I've left it the way it is.
>
> I checked the security log, and found this:
>
> Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP
> 68.105.58.150:2609 68.105.161.20:53 out via dc1 Jul 30
> 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067
> 68.1.18.25:53 out via dc1 Jul 30 08:58:37 sara /kernel: ipfw:
> 450 Deny UDP 68.105.58.150:3773 68.10.16.30:53 out via dc1
>
> These are the three name servers specified in the rule set
>
> I checked the rule set and found this:
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif
> setup keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53
> out via $pif setup keep-state $cmd 022 $skip tcp from any to
> 68.10.16.30 53 out via $pif setup keep-state
>
> Because security said the firewall was denying UDP packets, I
> changed the rules to this:
>
> $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif
> setup keep-state $cmd 021 $skip udp from any to 68.1.18.25 53
> out via $pif setup keep-state $cmd 022 $skip udp from any to
> 68.10.16.30 53 out via $pif setup keep-state
>
> But that hasn't helped. I'm still getting:
>
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:3178 68.105.161.20:53 out via dc1 Jul 31
> 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
> 68.1.18.25:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw:
> 550 Deny UDP 68.105.58.150:4747 68.10.16.30:53 out via dc1
>
> FWIW, these rules are skipping to:
>
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> $cmd 801 allow ip from any to any
>
> I apologize for being such a bother and I do appreciate any
> help or suggestions.
>
> TIA
>
> Jim C.
>
>
>
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of JJB
> > Sent: Friday, July 30, 2004 1:20 PM
> > To: James A. Coulter; freebsd-questions at freebsd.org
> > Subject: RE: Firewall Rule Set not allowing access to DNS servers?
> >
> >
> > Change this ipfw rule from
> >
> > 00005 allow ip from any to any via xl0
> >
> > To
> > 00005 allow ip from any to any via dc0
> >
> > because dc0 is the lan interface name and not xl0.
> >
> >
> > Change these statement in rc.conf because you have interface name
> > backwards. Dc1 is the NIC connected to your cable modem and
> you want
> > to get DHCP info from your ISP. Dc0 is the NIC connected to
> your LAN.
> >
> > From
> > ifconfig_dc1="DHCP"
> > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> >
> > to
> > ifconfig_dc0="DHCP"
> > ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"
> >
> >
> > You do not say how your LAN PCs get their ip address.
> > You can hard code them on each LAN PC
> > or you have to run isc-dhcp-server on your Gateway box to
> auto assign
> > ip address to LAN PCs.
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of James A.
> > Coulter
> > Sent: Friday, July 30, 2004 10:56 AM
> > To: freebsd-questions at freebsd.org
> > Subject: Firewall Rule Set not allowing access to DNS servers?
> >
> > I am using FreeBSD 4.10 as a gateway/router for a small
> home LAN. My
> > outside interface (dc1) is connected to a cable modem and is
> > configured for DHCP.
> >
> > I have compiled and installed a custome kernel with IPFIREWALL and
> > IPDIVERT options and with a rule set allowing any to any with no
> > problems
> >
> > I am in the process of adding a proper rule set to provide
> security. I
> > was referred to
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and
> > installed the Stateful + NATD Rule Set modified for my
> > outside interface, domain name servers, and DHCP server.
> >
> > I can ping IP addresses and pass SMTP mail back and forth from the
> > gateway/router and all machines on the LAN, but I cannot
> ping URLs - I
> > am getting "ping: cannot resolve
> > www.freebsd.org: Host name lookup failure" errors.
> >
> >
> > This is what ipfw -a list looks like:
> >
> > sara# ipfw -a list
> > 00005 0 0 allow ip from any to any via xl0
> > 00010 52 3640 allow ip from any to any via lo0
> > 00014 0 0 divert 8668 ip from any to any in recv dc1
> > 00015 0 0 check-state
> > 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53
> > keep-state out
> > xmit dc1 setup
> > 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53
> keep-state
> > out xmit
> > dc1 setup
> > 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53
> keep-state
> > out
> > xmit dc1 setup
> > 00030 0 0 skipto 800 udp from any to 172.19.17.22 67
> > keep-state out
> > xmit dc1
> > 00040 0 0 skipto 800 tcp from any to any 80 keep-state out
> > xmit dc1
> > setup
> > 00050 0 0 skipto 800 tcp from any to any 443 keep-state out
> > xmit dc1
> > setup
> > 00060 0 0 skipto 800 tcp from any to any 25 keep-state out
> > xmit dc1
> > setup
> > 00061 0 0 skipto 800 tcp from any to any 110 keep-state out
> > xmit dc1
> > setup
> > 00070 0 0 skipto 800 tcp from me to any uid root keep-state
> > out xmit
> > dc1 setup
> > 00080 0 0 skipto 800 icmp from any to any keep-state out
> xmit
> > dc1
> > 00090 0 0 skipto 800 tcp from any to any 37 keep-state out
> > xmit dc1
> > setup
> > 00100 0 0 skipto 800 tcp from any to any 119 keep-state out
> > xmit dc1
> > setup
> > 00110 0 0 skipto 800 tcp from any to any 22 keep-state out
> > xmit dc1
> > setup
> > 00120 0 0 skipto 800 tcp from any to any 43 keep-state out
> > xmit dc1
> > setup
> > 00130 0 0 skipto 800 udp from any to any 123 keep-state out
> > xmit dc1
> > 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1
> > 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1
> > 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1
> > 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1
> > 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1
> > 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1
> > 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1
> > 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1
> > 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1
> > 00315 0 0 deny tcp from any to any 113 in recv dc1
> > 00320 0 0 deny tcp from any to any 137 in recv dc1
> > 00321 0 0 deny tcp from any to any 138 in recv dc1
> > 00322 0 0 deny tcp from any to any 139 in recv dc1
> > 00323 0 0 deny tcp from any to any 81 in recv dc1
> > 00330 0 0 deny ip from any to any in recv dc1 frag
> > 00332 0 0 deny tcp from any to any in recv dc1 established
> > 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state
> in
> > recv dc1
> > 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in
> recv
> > dc1
> > setup
> > 00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in
> > recv dc1
> > setup
> > 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in
> recv
> > dc1
> > setup
> > 00400 0 0 deny log logamount 10 ip from any to any in recv
> dc1
> > 00450 81 5288 deny log logamount 10 ip from any to any out xmit
> dc1
> > 00800 0 0 divert 8668 ip from any to any out xmit dc1
> > 00801 645 59255 allow ip from any to any
> > 00999 0 0 deny log logamount 10 ip from any to any
> > 65535 1 347 deny ip from any to any
> > This is what my /etc/rc.conf looks like:
> >
> > hostname="sara.mshome.net"
> > ifconfig_dc1="DHCP"
> > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> > firewall_enable="YES" firewall_script="/etc/ipfw.rules"
> > firewall_logging="YES" kern_securelevel_enable="NO"
> linux_enable="YES"
> > moused_enable="YES" named_enable="YES" nfs_client_enable="YES"
> > nfs_reserved_port_only="YES" nfs_server_enable="YES"
> > sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES"
> > ntpd_enable="YES" inetd_enable="YES" gateway_enable="YES"
> > natd_enable="YES" natd_interface="dc1" natd_flags="-dynamic"
> >
> > Finally, this is what /etc/resolv.conf looks like:
> >
> > sara# more /etc/resolv.conf
> > search pn.at.cox.net
> > nameserver 68.105.161.20
> > nameserver 68.1.18.25
> > nameserver 68.10.16.30
> >
> > Any ideas?
> >
> > Thanks,
> >
> > Jim C.
> >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe at freebsd.org"
> >
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list