IPF firewalling

Mon Jan 17 12:42:26 PST 2005

correction,
I meant
pass out quick on rl0 proto tcp from any to any port = 53 keep state 
frags
pass out quick on rl0 proto udp from any to any port = 53 keep state 
frags

I did it in kind of a hurry.
On Jan 17, 2005, at 3:33 PM, Alvaro J. Gurdián wrote:

> If you compiled you kernel, and added options IPFILTER_DEFAULT_BLOCK, 
> then you need to explicitly allow each service to leave the interface, 
> as well as come in thru the interface.  For example add:
> pass in quick proto tcp from any to any port = 53 keep state keep keep 
> state frags
> pass in quick proto udp from any to any port = 53 keep state keep frags
>
> this allows the the computer to attempt to contact the DNS server 
> upstream from it.
>
> Hope this helps,
> Alvaro Gurdián Jr.
>
>
> On Jan 16, 2005, at 10:35 AM, Kövesdán Gábor wrote:
>
>> Hi,
>>
>> I have some trouble with the ipf configuration. I made the following
>> ruleset:
>>
>> pass in quick on rl0 proto udp from any to any port = 68 keep state
>> pass in quick proto udp from any to any port = 53 keep state keep 
>> frags
>> pass in quick on rl0 proto tcp/udp from any to any port = 42 keep 
>> state keep
>> frags
>> pass in quick on rl0 proto tcp from any to any port = 22 flags S keep 
>> state
>> pass in quick on rl0 proto tcp from any to any port = 25 keep state
>> pass in quick on rl0 proto tcp from any to any port = 21 keep state
>> pass in quick on rl0 proto tcp from any to any port = 20 keep state
>> pass in quick on rl0 proto tcp from any to any port = 80 keep state
>>
>>
>> block return-rst in log quick on rl0 proto tcp from any to any
>> block return-icmp-as-dest(port-unr) in log quick on rl0 proto udp 
>> from any
>> to any
>> block in quick on rl0 all
>>
>> pass in quick on lo0 all
>> pass out quick on lo0 all
>>
>>
>>
>> Everything seems okay, but the named. Neiher the ISP's nameserver 
>> (set by
>> the dhcp) nor the local nameserver works. BIND 9 wrote this to
>> /var/log/messages:
>>
>> Jan 16 13:59:35 server named[1028]: starting BIND 9.3.0 -u named -t
>> /usr/local/named -c /etc/named.conf
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: 
>> address
>> in use
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 
>> failed;
>> interface ignored
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket: 
>> address
>> in use
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 
>> failed;
>> interface ignored
>> Jan 16 13:59:35 server named[1028]: not listening on any interfaces
>> Jan 16 13:59:35 server named[1028]: /etc/named.conf:14: couldn't add 
>> command
>> channel 127.0.0.1#953: address in
>>  use
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
>> permission denied
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface re0 
>> failed;
>> interface ignored
>> Jan 16 13:59:35 server named[1028]: could not listen on UDP socket:
>> permission denied
>> Jan 16 13:59:35 server named[1028]: creating IPv4 interface lo0 
>> failed;
>> interface ignored
>>
>>
>> The rndc doesn't matter, I'm not going to use it, but the neither 
>> named can
>> listen on the network and the loopback interface. Could You suggest 
>> me any
>> solution for this trouble? Btw, this machine is going to be a web, 
>> dns,
>> mail, etc. server and is being tested on an ordinary cable connection,
>> that's why I'm using dhcp.
>>
>> Best regards,
>>
>> Gábor Kövesdán
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to 
>> "freebsd-questions-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>