Bob,
That ruleset is a mess and it isn't that secure (uses the bidirectional
switch -b), etc. I would recommend to impliment a better ruleset.
Anyway, in your ruleset:
> # Packets that are usually to be avoided routing outside...
> ipfwadm -I -a accept -S 127.0.0.0/24 -D 127.0.0.0/24 -Wlo -v
> ipfwadm -I -a deny -S 127.0.0.0/24 -D 0.0.0.0/0 -o
the bottom statement is the one that is breaking your DNS. If you
want to continue to use your ruleset, use:
ipfwadm -I -a accept -S 127.0.0.0/24 -D 127.0.0.0/24 -Wlo -v
ipfwadm -I -a accept -S 127.0.0.0/24 -D 192.168.0.0/24 -Wlo -v
ipfwadm -I -a deny -S 127.0.0.0/24 -D 0.0.0.0/0 -o
--David
At 12:35 AM 12/7/98 -0800, Bob Taylor wrote:
>In message <[EMAIL PROTECTED]>, "David A.
Ranch
>" writes:
>>
>> >Dec 6 13:02:28 ann kernel: IP fw-in deny lo TCP 127.0.0.1:6251
192.168.0.1:
>>25
>>
>> >L=7168 S=0x00 I=58486 F=0x0040 T=64
>> >
>> >I am at a loss on how to fix this. Any help appreciated. This is a
>> >dynamic addressed PPP link, Red Hat 5.1 on an Alpha LX164 and
>> >ipfwadm-2.3.0-5.
>>
>>
>> It looks like your loopback network is denying DNS traffic:
>>
>> - First, check to see if you do have DNS running:
>>
>> ps aux | grep named
>>
>>
>> If it's running, your IPFWADM ruleset is not configured properly.
>> Post your IPFWADM ruleset and we'll fix it.
>>
>> Until then, basicaly, you need the following ruleset pair (its
>> all covered in the TrinityOS doc):
>>
>> /sbin/ipfwadm -I -a accept -V 127.0.0.1 -S $universe -D $universe
>> /sbin/ipfwadm -O -a accept -V 127.0.0.1 -S $universe -D $universe
>
>This is what I have so far. I don't know if it is any good or not. I don't
>even remember from whom I stole^H^H^H^H^Hborrowed it from.
>
> # Default policy of accept for input rules (isn't this one the
>default?)
> ipfwadm -I -p accept
>
> # Now the basics: default policy of 'deny' for firewall,
> # add 'accept' only for my local domain (192.168.0.0) PLUS the
> # masquerade switch (-m), oh.. and bidirectional too :)
> #
> ipfwadm -F -p deny
> ipfwadm -F -a accept -S 192.168.0.0/24 -D 0.0.0.0/0 -b -m -v
>
> # Anything so far is enough, but some more rules aren't that bad...
> # Avoid some 'smart' guy trying to hack the firewall to
> # masquerade/re-route his/her packets.
> #
> ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
>
> ipfwadm -I -a deny -P icmp -D 192.168.0.0 -S 0/0 0 8
> ipfwadm -I -a deny -P icmp -D 192.168.0.255 -S 0/0 0 8
>
> # Packets that are usually to be avoided routing outside...
> ipfwadm -I -a accept -S 127.0.0.0/24 -D 127.0.0.0/24 -Wlo -v
> ipfwadm -I -a deny -S 127.0.0.0/24 -D 0.0.0.0/0 -o
>
> # Masquerade from local net on local interface to anywhere.
> ipfwadm -F -a accept -m -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
> ipfwadm -F -a accept -m -S 192.168.0.0/24 -D 0.0.0.0/0
>
>Bob
>
>--
>+---------------------------------------------------------------+
>| Bob Taylor Email: [EMAIL PROTECTED] |
>|---------------------------------------------------------------|
>| Like the ad says, at 300 dpi you can tell she's wearing a |
>| swimsuit. At 600 dpi you can tell it's wet. At 1200 dpi you |
>| can tell it's painted on. I suppose at 2400 dpi you can tell |
>| if the paint is giving her a rash. (So says Joshua R. Poulson)|
>+---------------------------------------------------------------+
>
>
.----------------------------------------------------------------------------.
| David A. Ranch - Remote Access/Linux/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
