ipfw confusion

OpenSlate ChalkDust openslateproj at gmail.com
Mon Aug 19 17:53:02 UTC 2013

On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken <vagabond at blackfoot.net> wrote:

> I'm having some weird ipfw behavior, or it seems weird to me, and am
> looking
> for an explaination and then a way out.
> ipfw list
> ...
> 21109 allow tcp from any to dst-port 53 in via tun0 setup
> keep-state
> 21129 allow tcp from any to dst-port 53 in via tun0 setup
> keep-state
> ...
> 65534 deny log logamount 5 ip from any to any
> tail -f messages
> Aug 18 23:33:06 nightmare named[914]: client error
> sending response: permission denied
> is the addr of the internal interface (xl0) on the firewall
>   and is the public dns server.
> is the addr of the external interface (tun0) which is bridged
> on a
> dsl line.
> It appears that a dns request was allowed in, but the response was not
> allowed
> back out.  It seems to me the above rules 21109 and 21129 should have
> allowed
> the request in and the response back out.
> It's possible a request could come in on,
> which is why 21109 is present;
> although I know I am getting failures to reply to refresh requests
> from a secondary addressed to
> What am I missing?
> I think you need explict rules like

nnnnn allow tcp from to any dst-port 53 out via tun0 setup

careful I'm just winging the syntax, better check the docsa for sure.
Gary Dunn
Open Slate Project

More information about the freebsd-questions mailing list