ipfw confusion
Gary Aitken
vagabond at blackfoot.net
Mon Aug 19 21:15:29 UTC 2013
On 08/19/13 11:53, OpenSlate ChalkDust wrote:
> On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken <vagabond at blackfoot.net> wrote:
>
>> I'm having some weird ipfw behavior, or it seems weird to me, and am
>> looking
>> for an explaination and then a way out.
>>
>> ipfw list
>> ...
>> 21109 allow tcp from any to 12.32.44.142 dst-port 53 in via tun0 setup
>> keep-state
>> 21129 allow tcp from any to 12.32.36.65 dst-port 53 in via tun0 setup
>> keep-state
>> ...
>> 65534 deny log logamount 5 ip from any to any
>>
>> tail -f messages
>> Aug 18 23:33:06 nightmare named[914]: client 188.231.152.46#63877: error
>> sending response: permission denied
>>
>> 12.32.36.65 is the addr of the internal interface (xl0) on the firewall
>> and is the public dns server.
>> 12.32.44.142 is the addr of the external interface (tun0) which is bridged
>> on a
>> dsl line.
>>
>> It appears that a dns request was allowed in, but the response was not
>> allowed
>> back out. It seems to me the above rules 21109 and 21129 should have
>> allowed
>> the request in and the response back out.
>>
>> It's possible a request could come in on 12.32.44.142,
>> which is why 21109 is present;
>> although I know I am getting failures to reply to refresh requests
>> from a secondary addressed to 12.32.36.65
>>
>> What am I missing?
>>
>> I think you need explict rules like
>
> nnnnn allow tcp from 12.32.44.142 to any dst-port 53 out via tun0 setup
> keep-state
Why would rules like that be necessary, given the conversation is initiated
from the outside? Shouldn't "setup keep-state" let the whole conversation,
both directions, through?
On 08/19/13 13:36, Dan Lists wrote:
> Do you have a check-state rule earlier in your rules?
>
> 1000 check-state
Yes:
00500 check-state
More information about the freebsd-questions
mailing list