vagabond at blackfoot.net
Mon Aug 19 21:15:29 UTC 2013
On 08/19/13 11:53, OpenSlate ChalkDust wrote:
> On Sun, Aug 18, 2013 at 8:06 PM, Gary Aitken <vagabond at blackfoot.net> wrote:
>> I'm having some weird ipfw behavior, or it seems weird to me, and am
>> for an explaination and then a way out.
>> ipfw list
>> 21109 allow tcp from any to 22.214.171.124 dst-port 53 in via tun0 setup
>> 21129 allow tcp from any to 126.96.36.199 dst-port 53 in via tun0 setup
>> 65534 deny log logamount 5 ip from any to any
>> tail -f messages
>> Aug 18 23:33:06 nightmare named: client 188.8.131.52#63877: error
>> sending response: permission denied
>> 184.108.40.206 is the addr of the internal interface (xl0) on the firewall
>> and is the public dns server.
>> 220.127.116.11 is the addr of the external interface (tun0) which is bridged
>> on a
>> dsl line.
>> It appears that a dns request was allowed in, but the response was not
>> back out. It seems to me the above rules 21109 and 21129 should have
>> the request in and the response back out.
>> It's possible a request could come in on 18.104.22.168,
>> which is why 21109 is present;
>> although I know I am getting failures to reply to refresh requests
>> from a secondary addressed to 22.214.171.124
>> What am I missing?
>> I think you need explict rules like
> nnnnn allow tcp from 126.96.36.199 to any dst-port 53 out via tun0 setup
Why would rules like that be necessary, given the conversation is initiated
from the outside? Shouldn't "setup keep-state" let the whole conversation,
both directions, through?
On 08/19/13 13:36, Dan Lists wrote:
> Do you have a check-state rule earlier in your rules?
> 1000 check-state
More information about the freebsd-questions