On Tue, Apr 06, 2004 at 09:08:01PM +0300, Eddy Petrisor wrote: > > What version of fwbuider do you use? I have 1.0.0-2, and I can't find > > any DNS .... no, wait! dns tcp, right?
My version is 1.1.1-1, from unstable. Actually, there is a group object called "DNS" that contains DNS UDP and DNS TCP. Allowing them outbound from your firewall/server will allow it to make DNS queries properly. Most go over DNS UDP, but DNS UDP queries that result in a response of larger than 512 bytes will typically get re-transmitted over TCP. > > what if I leave firewall:source > > dest:any port:any accept , and the next, src:any dest:fw port:any deny? That's fine. I only suggested allowing DNS out because you said you couldn't get out from your firewall. Sometimes this is just a symptom of dropped DNS queries. If you are accepting all traffic out from the firewall, disregard. > > my fw is not a DNS, just a gateway.. I'm speaking about DNS clients, not servers. If your server/firewall sends mail or you run "apt-get update" from it, you will see DNS queries originating from that box. > > > Using the firewall object itself in the source column with "Any" in > > > the destination column will allow traffic originating on your > > > firewall to go anywhere, internal or out to the Internet. If you > > > wanted to restrict traffic based on interface, you would have to use > > > the interface object in the source column. > > > > > again, what version? I can't find any interface object, but hosts (I got > > the ideea, but they could have made it cleaerer, luckly they got the > > ideea right by now, as I see on their site and you statement...) Sorry, what I'm referring to as "objects" is anything you drag from the left tree view into a column in any rule. In this case, an interface object is just what you see when you expand the firewall object and see the interface names listed - the one with (ip) after it can be used in a rule. The terminology might be my own. > > > BTW, connections originating from the firewall traverse iptable's > > > OUPUT chain. > > > > > I see there are differences again, but I got the point. > > (for me firewall-> iterfaces tab->policy attached to interface..) The rule example I gave above applied to any interface, as I meant it to be in the global firewall policy, not a specific interface policy. If you have specific interface policies, you'll have to allow outbound traffic on both the internal and external interfaces explicitly. You might find my site helpful, http://turinglabs.com , as it has some stuff on iptables and networking, inckuding firewall builder. It may also help to understand iptables by crafting a few rulesets by hand - there is an excellent tutorial at http://iptables-tutorial.frozentux.net/iptables-tutorial.html Doug
