IPFW doesn't resolve host names
Nick Withers
nick at nickwithers.com
Wed Sep 20 03:12:40 PDT 2006
On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00)
Vittorio <vdemart1 at tin.it> wrote:
> Dear friends,
> I have a pentium 4 freebsd 6.1 server connected to my
> office win-xp lan. The server smoothly runs sshd, postgresql, samba (to
> connect some /home share and the office win filesystem), vncserver.
> Recently I added the following IPFW firewall (I'm an absolute beginner
> with it) which works ** almost correctly **.
> In fact, I can connect via
> ssh (putty under winxp), the pg database works, vncserver too, while
> samba connects to its local windows share but it's unable to connect
> to the lan filesystem because it is no longer possible to resolve the
> host names. if I ping a host the answer is invariably
>
> ping: cannot
> resolve matteo: Host name lookup failure
>
> even though I defined "allow"
> rules for port 53.
You have not, however, allowed replies from your DNS server
(s)...
> Could you please help me?
> ############### start of
> example ipfw rules script #############
> ipfw -q -f flush # Delete
> all rules
> # Set defaults
> oif="fxp0" # out interface
> # Set
> defaults
> gw="10.155.102.6"
> cmd="ipfw -q add " # build rule prefix
> ks="keep-state" # just too lazy to key this each time
> $cmd 00500
> check-state
> $cmd 00502 deny all from any to any frag
> $cmd 00501 deny
> tcp from any to any established
> $cmd 00503 allow all from any to any
> via lo0
> $cmd 00505 deny all from any to 127.0.0.0/8
> $cmd 00508 deny ip
> from 127.0.0.0/8 to any
> $cmd 00600 allow tcp from any to me dst-port
> 22, 80 via $oif setup $ks
> $cmd 00601 allow tcp from any to me dst-port
> 81,137,138,139,445 via $oif setup $ks
> $cmd 00602 allow tcp from any to
> me dst-port 5432, 5900-5909 via $oif setup $ks
> $cmd 00604 allow udp
> from any to me dst-port 81,137,138,139,445 via $oif setup $ks
> $cmd
> 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks
> $cmd 00606 allow tcp from any to $gw 1491
> $cmd 00607 allow tcp from $gw
> 1491 to any
> $cmd 00610 allow tcp from me to any 53 out via $oif
Try replacing this with "$cmd 00610 allow tcp from me to any 53
out via $oif $ks".
> $cmd
> 00611 allow tcp from any 50 to me in via $oif
> $cmd 00612 allow udp from
> me to any 53 out via $oif
> $cmd 00613 allow udp from any 50 to me in via
> $oif
> $cmd 00700 allow icmp from any to any via $oif
> ###################
> End of example ipfw rules script ############
--
Nick Withers
email: nick at nickwithers.com
Web: http://www.nickwithers.com
Mobile: +61 414 397 446
More information about the freebsd-questions
mailing list