ipfw confusion

Jason Cox cscoman at gmail.com
Mon Aug 19 06:36:40 UTC 2013

Are you sure that your DNS requests are over TCP? DNS primarily uses UDP to
serve requests. TCP is used when the response data size exceeds 512 bytes
(I think), or for tasks such as zone transfers. I know a few resolver
implementations use TCP for all queries, but most I have used not. You
might want to add rules to allow UDP as well.

On Sun, Aug 18, 2013 at 11:06 PM, Gary Aitken <vagabond at blackfoot.net>wrote:

> I'm having some weird ipfw behavior, or it seems weird to me, and am
> looking
> for an explaination and then a way out.
> ipfw list
> ...
> 21109 allow tcp from any to dst-port 53 in via tun0 setup
> keep-state
> 21129 allow tcp from any to dst-port 53 in via tun0 setup
> keep-state
> ...
> 65534 deny log logamount 5 ip from any to any
> tail -f messages
> Aug 18 23:33:06 nightmare named[914]: client error
> sending response: permission denied
> is the addr of the internal interface (xl0) on the firewall
>   and is the public dns server.
> is the addr of the external interface (tun0) which is bridged
> on a
> dsl line.
> It appears that a dns request was allowed in, but the response was not
> allowed
> back out.  It seems to me the above rules 21109 and 21129 should have
> allowed
> the request in and the response back out.
> It's possible a request could come in on,
> which is why 21109 is present;
> although I know I am getting failures to reply to refresh requests
> from a secondary addressed to
> What am I missing?
> Is there a problem if the incoming rule is for tun0,
> which gets passed to named
> since is on the physical machine running named,
> but named pumps its response out on,
> relying on routing to get it to the right place,
> and that fails to match the state tracking mechanism
> which started with
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"

Jason Cox

More information about the freebsd-questions mailing list