vagabond at blackfoot.net
Mon Aug 19 21:18:15 UTC 2013
On 08/19/13 00:36, Jason Cox wrote:
> Are you sure that your DNS requests are over TCP? DNS primarily uses UDP to
> serve requests. TCP is used when the response data size exceeds 512 bytes
> (I think), or for tasks such as zone transfers. I know a few resolver
> implementations use TCP for all queries, but most I have used not. You
> might want to add rules to allow UDP as well.
There are identical rules included for udp:
21149 allow udp from any to 18.104.22.168 dst-port 53 in via tun0 keep-state
21169 allow udp from any to 22.214.171.124 dst-port 53 in via tun0 keep-state
One of the requests which is being refused is a zone transfer request from
a secondary which is a tcp request. Others are probably udp.
> On Sun, Aug 18, 2013 at 11:06 PM, Gary Aitken <vagabond at blackfoot.net>wrote:
>> I'm having some weird ipfw behavior, or it seems weird to me, and am
>> for an explaination and then a way out.
>> ipfw list
>> 21109 allow tcp from any to 126.96.36.199 dst-port 53 in via tun0 setup
>> 21129 allow tcp from any to 188.8.131.52 dst-port 53 in via tun0 setup
>> 65534 deny log logamount 5 ip from any to any
>> tail -f messages
>> Aug 18 23:33:06 nightmare named: client 184.108.40.206#63877: error
>> sending response: permission denied
>> 220.127.116.11 is the addr of the internal interface (xl0) on the firewall
>> and is the public dns server.
>> 18.104.22.168 is the addr of the external interface (tun0) which is bridged
>> on a
>> dsl line.
>> It appears that a dns request was allowed in, but the response was not
>> back out. It seems to me the above rules 21109 and 21129 should have
>> the request in and the response back out.
>> It's possible a request could come in on 22.214.171.124,
>> which is why 21109 is present;
>> although I know I am getting failures to reply to refresh requests
>> from a secondary addressed to 126.96.36.199
>> What am I missing?
>> Is there a problem if the incoming rule is for tun0,
>> which gets passed to named
>> since 188.8.131.52 is on the physical machine running named,
>> but named pumps its response out on 184.108.40.206,
>> relying on routing to get it to the right place,
>> and that fails to match the state tracking mechanism
>> which started with 220.127.116.11?
>> freebsd-questions at freebsd.org mailing list
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions