On 24-May-05, at 12:09 PM, Charles Swiger wrote:
On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote:
Thank you for your suggestions... I think it helped me solve the
problem. It seems I needed to add more rules... although they
seem redundant to me, but they have clearly made an improvement
and I'm no longer getting those dns related errors in ipfw.log and
in /var/log/messages.
I hate to ask something silly, but you do have a check-state rule
somewhere, right?
it's not silly..., what's silly is now I'm asking how would I
check :) or what would the rule look like.
The rules you've added permit traffic in both directions, which
shouldn't be needed unless the stateful matching wasn't working
right. Anyway, you don't need to use stateful rules if you permit
traffic in both ways, but the possible tradeoff is making the
systems more accessible to scanning and some DoS attacks using
forged traffic.
Not using keep-state with UDP is quite reasonable, but you might
consider adding a "keep-state" with your TCP rules for port 53.
You should also be aware that your nameservers will want to make
outbound connections using TCP themselves sometimes....
you've actually kinda answered the other question I neglected to
ask... which is, would I really need the keep-state, since it seemed
to work without it being there when I did my testing earlier today.
Regarding adding keep-state to my tcp rule... would this not do the
same thing... ? am I confused... or is it just insecure of doing it
this way:
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
Thanks,
Stephane.
--
-Chuck
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
