vagabond at blackfoot.net
Mon Aug 19 06:07:06 UTC 2013
I'm having some weird ipfw behavior, or it seems weird to me, and am looking
for an explaination and then a way out.
21109 allow tcp from any to 220.127.116.11 dst-port 53 in via tun0 setup keep-state
21129 allow tcp from any to 18.104.22.168 dst-port 53 in via tun0 setup keep-state
65534 deny log logamount 5 ip from any to any
tail -f messages
Aug 18 23:33:06 nightmare named: client 22.214.171.124#63877: error sending response: permission denied
126.96.36.199 is the addr of the internal interface (xl0) on the firewall
and is the public dns server.
188.8.131.52 is the addr of the external interface (tun0) which is bridged on a
It appears that a dns request was allowed in, but the response was not allowed
back out. It seems to me the above rules 21109 and 21129 should have allowed
the request in and the response back out.
It's possible a request could come in on 184.108.40.206,
which is why 21109 is present;
although I know I am getting failures to reply to refresh requests
from a secondary addressed to 220.127.116.11
What am I missing?
Is there a problem if the incoming rule is for tun0,
which gets passed to named
since 18.104.22.168 is on the physical machine running named,
but named pumps its response out on 22.214.171.124,
relying on routing to get it to the right place,
and that fails to match the state tracking mechanism
which started with 126.96.36.199?
More information about the freebsd-questions