Barney Wolff wrote:

On Tue, Jul 13, 2004 at 11:55:36AM -0400, Mikhail Teterin wrote:

I'm using the `simple' template in /etc/rc.firewall to allow LAN to access
the Internet from behind the firewall (FreeBSD-stable).

There is a rule there:
# Allow DNS queries out in the world
${fwcmd} add pass udp from any to any 53 keep-state

Probably this should be a bit safer:

${fwcmd} add pass udp from ${inet} to any 53 keep-state out via de0

and, indeed, the firewall machine itself has no problems accessing the outside
name servers.

However, when the LAN-machine(s) try it, the queries time out, while the
firewall machine logs the following:

ipfw: 3400 Deny UDP name.ser.ver.ip:53 in via de0

All routers/servers from Internet does not work with 192.168 like networks since any body can use such
addresses, so this could be you problem.

All HOWTOs out there imply running a local nameserver on the firewall
machine. Is there a way to go without that, but also without opening the
firewall up to _all_ UDP packets, which happen to originate from port

What's the meaning of the "keep-state" clause in the rule above? I
thought, it "magically" allows DNS-responses to come back only, but that
does not work...

Do ipfw show and see if the keep-state rule is ever triggering - perhaps
some rule before it is already allowing the outgoing packets.

As I understand this, keep-state wouldn't allow any connection to you from port 53, till you
send any UDP packet to that machine for port 53.


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to