Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Hello, Thought you'd like to know that the amendments you suggested works for me now. Thank you very much for the time and effort! See: $ dig . ns @c.root-servers.net ; <<>> DiG 8.3 <<>> . ns @c.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NSL.ROOT-SERVERS.NET. . 6D IN NSM.ROOT-SERVERS.NET. . 6D IN NSI.ROOT-SERVERS.NET. . 6D IN NSE.ROOT-SERVERS.NET. . 6D IN NSD.ROOT-SERVERS.NET. . 6D IN NSA.ROOT-SERVERS.NET. . 6D IN NSH.ROOT-SERVERS.NET. . 6D IN NSC.ROOT-SERVERS.NET. . 6D IN NSG.ROOT-SERVERS.NET. . 6D IN NSF.ROOT-SERVERS.NET. . 6D IN NSB.ROOT-SERVERS.NET. . 6D IN NSJ.ROOT-SERVERS.NET. . 6D IN NSK.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: L.ROOT-SERVERS.NET. 5w6d16h IN A198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A202.12.27.33 I.ROOT-SERVERS.NET. 5w6d16h IN A192.36.148.17 E.ROOT-SERVERS.NET. 5w6d16h IN A192.203.230.10 D.ROOT-SERVERS.NET. 5w6d16h IN A128.8.10.90 A.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A128.63.2.53 C.ROOT-SERVERS.NET. 5w6d16h IN A192.33.4.12 G.ROOT-SERVERS.NET. 5w6d16h IN A192.112.36.4 F.ROOT-SERVERS.NET. 5w6d16h IN A192.5.5.241 B.ROOT-SERVERS.NET. 5w6d16h IN A128.9.0.107 J.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A193.0.14.129 ;; Total query time: 229 msec ;; FROM: Demon.vickiandstacey.com to SERVER: c.root-servers.net 192.33.4.12 ;; WHEN: Sun Oct 27 20:41:04 2002 ;; MSG SIZE sent: 17 rcvd: 436 $ On Sun, 2002-10-27 at 18:09, D. Penev wrote: > On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote: > >Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? > > [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in > > /var/log/security > >From: Stacey Roberts <[EMAIL PROTECTED]> > >To: Ruben de Groot <[EMAIL PROTECTED]> > >Cc: [EMAIL PROTECTED], > > FreeBSD Questions <[EMAIL PROTECTED]> > >Date: 27 Oct 2002 18:29:16 + > > > >Okay, > >I've been hacking about with my ipfw rules in order to nail this > >down, but I'm still coming up against a wall here.., > > > >I've made this change: > ># Allow out access to Internet Domain name server > >$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup > >keep-state > >#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup > >keep-state < > >$fwcmd add 00618 allow udp from any to any 53 out via $oif > > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > > > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >Checking logs: > ># tail /var/log/security > > > >Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 > >192.168.1.8:1642 in via sis0 > ># > > > >The previous posted (see below) informed me that using setup / > >keep-state with udp is wrong. Given the changes I've made above, what > >are the magic statements to allow my to query the root servers and allow > >their responses back in? > > > >TIA > >Stacey > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > >> > > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >> > >> This la
res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net- Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of"DENY UDP" mess]ages in /var/log/security]
Hi, I've made the changes to rule 00618 as you've suggested, but now I get a different error: # dig .ns @a.root-servers.net ; <<>> DiG 8.3 <<>> .ns @a.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # dig .ns @b.root-servers.net ; <<>> DiG 8.3 <<>> .ns @b.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # I'll not even pretend to know what that means.., Thanks for the pointer to what I missed out in the rule. Stacey On Sun, 2002-10-27 at 18:09, D. Penev wrote: > > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > > > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > >> > > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >> > >> This last rule is bogus. From ipfw(8): > >> > >> setup Matches TCP packets that have the SYN bit set but no ACK bit. > >> This is the short form of ``tcpflags syn,!ack''. > >> > >> "setup" is not supposed to work for UDP packets. there is no handshake as > >> in tcp connections. > >> > >> > >> > > >> > Checking ipfw rule 910: > >> > $fwcmd add 00910 deny log logamount 500 ip from any to any > >> > > >> > Why am I not able to query root servers, given my rules 00618 & 00619? > >> > > >> > I'd appreciate someone helping me out here., (or hitting me over the > >> > head if I'm missing something simple and glaringly obvious) > >> > > >> > TIA > >> > > >> > Stacey > >> > > >> > > >> > > >> > -- > >> > Stacey Roberts > >> > B.Sc (HONS) Computer Science > >> > > >> > Web: www.vickiandstacey.com > >> > > >> > >> To Unsubscribe: send mail to [EMAIL PROTECTED] > >> with "unsubscribe freebsd-questions" in the body of the message > >-- > >Stacey Roberts > >B.Sc (HONS) Computer Science > > > >Web: www.vickiandstacey.com > > > > > > -- > Regards, > D. Penev > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 06:29:16PM +, Stacey Roberts wrote: Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security From: Stacey Roberts <[EMAIL PROTECTED]> To: Ruben de Groot <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], FreeBSD Questions <[EMAIL PROTECTED]> Date: 27 Oct 2002 18:29:16 + Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state < $fwcmd add 00618 allow udp from any to any 53 out via $oif You forget keep-state. You rule should be: $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > Verifying relevant ipfw rules: > # Allow out access to Internet Domain name server > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > keep-state > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. "setup" is not supposed to work for UDP packets. there is no handshake as in tcp connections. > > Checking ipfw rule 910: > $fwcmd add 00910 deny log logamount 500 ip from any to any > > Why am I not able to query root servers, given my rules 00618 & 00619? > > I'd appreciate someone helping me out here., (or hitting me over the > head if I'm missing something simple and glaringly obvious) > > TIA > > Stacey > > > > -- > Stacey Roberts > B.Sc (HONS) Computer Science > > Web: www.vickiandstacey.com > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com -- Regards, D. Penev To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Okay, I've been hacking about with my ipfw rules in order to nail this down, but I'm still coming up against a wall here.., I've made this change: # Allow out access to Internet Domain name server $fwcmd add 00617 allow tcp from any to any 53 out via $oif setup keep-state #$fwcmd add 00618 allow udp from any to any 53 out via $oif setup keep-state < $fwcmd add 00618 allow udp from any to any 53 out via $oif ^ | PUT THIS IN INSTEAD Now I try to query a root-server, I still get stopped by the firewall: # date Sun Oct 27 18:19:35 GMT 2002 # dig . ns @b.root-servers.net ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net ; (1 server found) ;; res options: init recurs defnam dnsrch ;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed out Checking logs: # tail /var/log/security Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53 192.168.1.8:1642 in via sis0 # The previous posted (see below) informed me that using setup / keep-state with udp is wrong. Given the changes I've made above, what are the magic statements to allow my to query the root servers and allow their responses back in? TIA Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > > > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state > > This last rule is bogus. From ipfw(8): > > setup Matches TCP packets that have the SYN bit set but no ACK bit. > This is the short form of ``tcpflags syn,!ack''. > > "setup" is not supposed to work for UDP packets. there is no handshake as > in tcp connections. > > > > > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > > > > Why am I not able to query root servers, given my rules 00618 & 00619? > > > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > > > > TIA > > > > Stacey > > > > > > > > -- > > Stacey Roberts > > B.Sc (HONS) Computer Science > > > > Web: www.vickiandstacey.com > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 05:18:10PM +, Stacey Roberts wrote: > Just checked against http://www.pgp.net/wwwkeys.html to verify: > > pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> > Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 > > Verbose: > Public Key Server -- Verbose Index ``0xDC92FBD7 '' > > Type bits/keyIDDate User ID > pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> > Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 > > New! attempt to lookup keyholder on biglumber.com. > sig 0x10 DC92FBD7 2002-08-03 [selfsig] > > Unless I'm missing something., so do enlighten me, please. It doesn't verify here either. I think it's because you haven't added the email address you post from as an alias. Ceri -- you can't see when light's so strong you can't see when light is gone To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Just checked against http://www.pgp.net/wwwkeys.html to verify: pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 Verbose: Public Key Server -- Verbose Index ``0xDC92FBD7 '' Type bits/keyIDDate User ID pub 2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]> Key fingerprint = 04 2E 82 F6 3E 78 25 14 42 84 90 E7 B7 B1 F7 26 New! attempt to lookup keyholder on biglumber.com. sig 0x10 DC92FBD7 2002-08-03 [selfsig] Unless I'm missing something., so do enlighten me, please. Stacey On Sun, 2002-10-27 at 17:06, Daniel Harris wrote: > On Sun, Oct 27, 2002 at 04:48:34PM +, Stacey Roberts wrote: > -snip- > > Just letting you know that the pgp sig on this message > did not verify with my gnupg 1.2.1. > > -- > Daniel Harris -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security
Hi Ruben, Thanks much for the reply - comments inline..., > > Verifying relevant ipfw rules: > > # Allow out access to Internet Domain name server > > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > > keep-state > > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > > keep-state > > This last rule is bogus. From ipfw(8): > > setup Matches TCP packets that have the SYN bit set but no ACK bit. > This is the short form of ``tcpflags syn,!ack''. > > "setup" is not supposed to work for UDP packets. there is no handshake as > in tcp connections. Okay, I see what you mean about rule 00619 (probably explains why this rule never appears in ipfw l), and as such, I have three questions based on rule 00619 being bogus: 1] Is this the reason why I am unable to query root-servers? 2] Do I remove it completely - would ipfw still be secure without it completely? 3] If not, should I just amend as: $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state Based on ipfw (8): ### A similar approach can be used for UDP, where an UDP packet coming from the inside will install a dynamic rule to let the response through the firewall: ipfw add check-state ipfw add allow udp from my-subnet to any ipfw add deny udp from any to any $fwcmd add 00619 allow udp from any to any 53 out via $oif setup keep-state CHANGE TO: $fwcmd add allow udp from any to any 53 out via $oif $fwcmd add deny udp from any to any 53 in via $oif I'm basing the above amendments based on: I have a check-state at rule 00500 >From the make up of my rule-set, I do not have a rule and explicitly denies udp to port 53 per-se. More clearly, I have these deny rules in place at the moment: $ grep -i deny fwrules $fwcmd add 00020 deny log ip from me to any in $fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin $fwcmd add 00100 deny udp from any to any 520 in via $oif $fwcmd add 00502 deny all from any to any frag $fwcmd add 00501 deny tcp from any to any established $fwcmd add 00850 deny log ip from me to me in via $oif $fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif $fwcmd add 00900 deny log all from any to any in via $oif $fwcmd add 00910 deny log logamount 500 ip from any to any $ None of which explicitly applies to DNS. I make this point as there *are* udp packets I want to allow in via $oif - 137 - 139 Thanks again for the reply Ruben. If I'm not clear enough in my explanations, I'm quite happy to post my complete rule-set to you (off-list) if you need it to get a better picture. Cheers! Stacey On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed: > > Hello, > > I don't know if this is related to post earlier today [FBSD 4.7 > > reset itself - lots of "DENY UDP" messages in /var/log/security], but > > I've been trying to trouble shoot the "DENY" messages in > > /var/log/security using dig: > > > > # dig . ns @b.root-servers.net > > > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > > ; (1 server found) > > ;; res options: init recurs defnam dnsrch > > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > > refused > > # > > I get connection refused for this. Checking security: > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 > > 128.9.0.107:53 out via sis0 > > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 > > 128.9.0.107:53 out via sis0 > > # > > Checking ipfw rule 910: > > $fwcmd add 00910 deny log logamount 500 ip from any to any > > > > Why am I not able to query root servers, given my rules 00618 & 00619? > > > > I'd appreciate someone helping me out here., (or hitting me over the > > head if I'm missing something simple and glaringly obvious) > > > > TIA > > > > Stacey > > > > > > > > -- > > Stacey Roberts > > B.Sc (HONS) Computer Science > > > > Web: www.vickiandstacey.com > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com signature.asc Description: This is a digitally signed message part
Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security
On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed: > Hello, > I don't know if this is related to post earlier today [FBSD 4.7 > reset itself - lots of "DENY UDP" messages in /var/log/security], but > I've been trying to trouble shoot the "DENY" messages in > /var/log/security using dig: > > # dig . ns @b.root-servers.net > > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > ; (1 server found) > ;; res options: init recurs defnam dnsrch > ;; res_nsend to server b.root-servers.net 128.9.0.107: Connection > refused > # > I get connection refused for this. Checking security: > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381 > 128.9.0.107:53 out via sis0 > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382 > 128.9.0.107:53 out via sis0 > # > > Verifying relevant ipfw rules: > # Allow out access to Internet Domain name server > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > keep-state > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > keep-state This last rule is bogus. From ipfw(8): setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. "setup" is not supposed to work for UDP packets. there is no handshake as in tcp connections. > > Checking ipfw rule 910: > $fwcmd add 00910 deny log logamount 500 ip from any to any > > Why am I not able to query root servers, given my rules 00618 & 00619? > > I'd appreciate someone helping me out here., (or hitting me over the > head if I'm missing something simple and glaringly obvious) > > TIA > > Stacey > > > > -- > Stacey Roberts > B.Sc (HONS) Computer Science > > Web: www.vickiandstacey.com > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message