subject:"dig . ns @b.root\-servers.net \- Connection refused. WHY\?\[related to FBSD 4.7 reset itself \- lots of DENY UDP mess\]ages in\/var\/log\/security"

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

2002-10-27 Thread Stacey Roberts

Hello,
 Thought you'd like to know that the amendments you suggested works
for me now. 

Thank you very much for the time and effort! See:
$ dig . ns @c.root-servers.net

; <<>> DiG 8.3 <<>> . ns @c.root-servers.net 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;  ., type = NS, class = IN

;; ANSWER SECTION:
.   6D IN NSL.ROOT-SERVERS.NET.
.   6D IN NSM.ROOT-SERVERS.NET.
.   6D IN NSI.ROOT-SERVERS.NET.
.   6D IN NSE.ROOT-SERVERS.NET.
.   6D IN NSD.ROOT-SERVERS.NET.
.   6D IN NSA.ROOT-SERVERS.NET.
.   6D IN NSH.ROOT-SERVERS.NET.
.   6D IN NSC.ROOT-SERVERS.NET.
.   6D IN NSG.ROOT-SERVERS.NET.
.   6D IN NSF.ROOT-SERVERS.NET.
.   6D IN NSB.ROOT-SERVERS.NET.
.   6D IN NSJ.ROOT-SERVERS.NET.
.   6D IN NSK.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
L.ROOT-SERVERS.NET. 5w6d16h IN A198.32.64.12
M.ROOT-SERVERS.NET. 5w6d16h IN A202.12.27.33
I.ROOT-SERVERS.NET. 5w6d16h IN A192.36.148.17
E.ROOT-SERVERS.NET. 5w6d16h IN A192.203.230.10
D.ROOT-SERVERS.NET. 5w6d16h IN A128.8.10.90
A.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.4
H.ROOT-SERVERS.NET. 5w6d16h IN A128.63.2.53
C.ROOT-SERVERS.NET. 5w6d16h IN A192.33.4.12
G.ROOT-SERVERS.NET. 5w6d16h IN A192.112.36.4
F.ROOT-SERVERS.NET. 5w6d16h IN A192.5.5.241
B.ROOT-SERVERS.NET. 5w6d16h IN A128.9.0.107
J.ROOT-SERVERS.NET. 5w6d16h IN A198.41.0.10
K.ROOT-SERVERS.NET. 5w6d16h IN A193.0.14.129

;; Total query time: 229 msec
;; FROM: Demon.vickiandstacey.com to SERVER: c.root-servers.net 
192.33.4.12
;; WHEN: Sun Oct 27 20:41:04 2002
;; MSG SIZE  sent: 17  rcvd: 436
$

On Sun, 2002-10-27 at 18:09, D. Penev wrote:
> On Sun, Oct 27, 2002 at 06:29:16PM +0000, Stacey Roberts wrote:
> >Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY?
> >     [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in
> > /var/log/security
> >From: Stacey Roberts <[EMAIL PROTECTED]>
> >To: Ruben de Groot <[EMAIL PROTECTED]>
> >Cc: [EMAIL PROTECTED],
> > FreeBSD Questions <[EMAIL PROTECTED]>
> >Date: 27 Oct 2002 18:29:16 +
> >
> >Okay,
> >I've been hacking about with my ipfw rules in order to nail this
> >down, but I'm still coming up against a wall here.., 
> >
> >I've made this change:
> ># Allow out access to Internet Domain name server
> >$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup
> >keep-state 
> >#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup
> >keep-state < 
> >$fwcmd add 00618 allow udp from any to any 53 out via $oif
> 
> You forget keep-state. You rule should be:
> $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state 
> 
> 
> >  ^
> >  |
> >   PUT THIS IN INSTEAD
> >
> >Now I try to query a root-server, I still get stopped by the firewall:
> ># date
> >Sun Oct 27 18:19:35 GMT 2002
> ># dig . ns @b.root-servers.net
> >
> >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
> >; (1 server found)
> >;; res options: init recurs defnam dnsrch
> >;; res_nsend to server b.root-servers.net  128.9.0.107: Operation timed
> >out
> >
> >Checking logs:
> ># tail /var/log/security
> >
> >Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53
> >192.168.1.8:1642 in via sis0
> ># 
> >
> >The previous posted (see below) informed me that using setup /
> >keep-state with udp is wrong. Given the changes I've made above, what
> >are the magic statements to allow my to query the root servers and allow
> >their responses back in?
> >
> >TIA
> >Stacey
> >
> >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:
> >
> >> > 
> >> > Verifying relevant ipfw rules:
> >> > # Allow out access to Internet Domain name server
> >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> >> > keep-state 
> >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> >> > keep-state
> >> 
> >> This la

res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net- Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of"DENY UDP" mess]ages in /var/log/security]

2002-10-27 Thread Stacey Roberts

Hi,
  I've made the changes to rule 00618 as you've suggested, but now I get
a different error:
# dig .ns @a.root-servers.net

; <<>> DiG 8.3 <<>> .ns @a.root-servers.net 
; (1 server found)
;; res_nmkquery: buffer too small

# dig .ns @b.root-servers.net

; <<>> DiG 8.3 <<>> .ns @b.root-servers.net 
; (1 server found)
;; res_nmkquery: buffer too small
# 

I'll not even pretend to know what that means.., 

Thanks for the pointer to what I missed out in the rule.

Stacey

On Sun, 2002-10-27 at 18:09, D. Penev wrote:
> 
> You forget keep-state. You rule should be:
> $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state 
> 
> 
> >  ^
> >  |
> >   PUT THIS IN INSTEAD
> >
> >Now I try to query a root-server, I still get stopped by the firewall:
> ># date
> >Sun Oct 27 18:19:35 GMT 2002
> ># dig . ns @b.root-servers.net
> >
> >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
> >; (1 server found)
> >;; res options: init recurs defnam dnsrch
> >;; res_nsend to server b.root-servers.net  128.9.0.107: Operation timed
> >out

> >
> >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:
> >
> >> > 
> >> > Verifying relevant ipfw rules:
> >> > # Allow out access to Internet Domain name server
> >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> >> > keep-state 
> >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> >> > keep-state
> >> 
> >> This last rule is bogus. From ipfw(8):
> >> 
> >>  setup   Matches TCP packets that have the SYN bit set but no ACK bit.
> >>  This is the short form of ``tcpflags syn,!ack''.
> >> 
> >> "setup" is not supposed to work for UDP packets. there is no handshake as 
> >> in tcp connections.
> >> 
> >> 
> >> > 
> >> > Checking ipfw rule 910:
> >> > $fwcmd add 00910 deny log logamount 500 ip from any to any
> >> > 
> >> > Why am I not able to query root servers, given my rules 00618 & 00619? 
> >> > 
> >> > I'd appreciate someone helping me out here., (or hitting me over the
> >> > head if I'm missing something simple and glaringly obvious)
> >> > 
> >> > TIA 
> >> > 
> >> > Stacey
> >> > 
> >> > 
> >> > 
> >> > -- 
> >> > Stacey Roberts
> >> > B.Sc (HONS) Computer Science
> >> > 
> >> > Web: www.vickiandstacey.com
> >> > 
> >> 
> >> To Unsubscribe: send mail to [EMAIL PROTECTED]
> >> with "unsubscribe freebsd-questions" in the body of the message
> >-- 
> >Stacey Roberts
> >B.Sc (HONS) Computer Science
> >
> >Web: www.vickiandstacey.com
> >
> 
> 
> 
> -- 
> Regards,
> D. Penev
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
-- 
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com




signature.asc
Description: This is a digitally signed message part

Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security

2002-10-27 Thread D. Penev

On Sun, Oct 27, 2002 at 06:29:16PM +, Stacey Roberts wrote:

Subject: Re: dig . ns @b.root-servers.net - Connection refused. WHY?
	[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in
	/var/log/security
From: Stacey Roberts <[EMAIL PROTECTED]>
To: Ruben de Groot <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED],
	FreeBSD Questions <[EMAIL PROTECTED]>
Date: 27 Oct 2002 18:29:16 +

Okay,
   I've been hacking about with my ipfw rules in order to nail this
down, but I'm still coming up against a wall here.., 

I've made this change:
# Allow out access to Internet Domain name server
$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup
keep-state 
#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup
keep-state < 
$fwcmd add 00618 allow udp from any to any 53 out via $oif

You forget keep-state. You rule should be:
$fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state 


 ^
 |
  PUT THIS IN INSTEAD

Now I try to query a root-server, I still get stopped by the firewall:
# date
Sun Oct 27 18:19:35 GMT 2002
# dig . ns @b.root-servers.net

; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server b.root-servers.net  128.9.0.107: Operation timed
out

Checking logs:
# tail /var/log/security

Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53
192.168.1.8:1642 in via sis0
# 

The previous posted (see below) informed me that using setup /
keep-state with udp is wrong. Given the changes I've made above, what
are the magic statements to allow my to query the root servers and allow
their responses back in?

TIA
Stacey

On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:

> 
> Verifying relevant ipfw rules:
> # Allow out access to Internet Domain name server
> $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> keep-state 
> $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> keep-state

This last rule is bogus. From ipfw(8):

 setup   Matches TCP packets that have the SYN bit set but no ACK bit.
 This is the short form of ``tcpflags syn,!ack''.

"setup" is not supposed to work for UDP packets. there is no handshake as 
in tcp connections.


> 
> Checking ipfw rule 910:
> $fwcmd add 00910 deny log logamount 500 ip from any to any
> 
> Why am I not able to query root servers, given my rules 00618 & 00619? 
> 
> I'd appreciate someone helping me out here., (or hitting me over the
> head if I'm missing something simple and glaringly obvious)
> 
> TIA 
> 
> Stacey
> 
> 
> 
> -- 
> Stacey Roberts
> B.Sc (HONS) Computer Science
> 
> Web: www.vickiandstacey.com
> 

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
--
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com





--
Regards,
D. Penev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

2002-10-27 Thread Stacey Roberts

Okay,
I've been hacking about with my ipfw rules in order to nail this
down, but I'm still coming up against a wall here.., 

I've made this change:
# Allow out access to Internet Domain name server
$fwcmd add 00617 allow tcp from any to any 53 out via $oif setup
keep-state 
#$fwcmd add 00618 allow udp from any to any 53 out via $oif setup
keep-state < 
$fwcmd add 00618 allow udp from any to any 53 out via $oif
  ^
  |
   PUT THIS IN INSTEAD

Now I try to query a root-server, I still get stopped by the firewall:
# date
Sun Oct 27 18:19:35 GMT 2002
# dig . ns @b.root-servers.net

; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_nsend to server b.root-servers.net  128.9.0.107: Operation timed
out

Checking logs:
# tail /var/log/security

Oct 27 18:19:40 Demon /kernel: ipfw: 900 Deny UDP 128.9.0.107:53
192.168.1.8:1642 in via sis0
# 

The previous posted (see below) informed me that using setup /
keep-state with udp is wrong. Given the changes I've made above, what
are the magic statements to allow my to query the root servers and allow
their responses back in?

TIA
Stacey

On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:

> > 
> > Verifying relevant ipfw rules:
> > # Allow out access to Internet Domain name server
> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> > keep-state 
> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> > keep-state
> 
> This last rule is bogus. From ipfw(8):
> 
>  setup   Matches TCP packets that have the SYN bit set but no ACK bit.
>  This is the short form of ``tcpflags syn,!ack''.
> 
> "setup" is not supposed to work for UDP packets. there is no handshake as 
> in tcp connections.
> 
> 
> > 
> > Checking ipfw rule 910:
> > $fwcmd add 00910 deny log logamount 500 ip from any to any
> > 
> > Why am I not able to query root servers, given my rules 00618 & 00619? 
> > 
> > I'd appreciate someone helping me out here., (or hitting me over the
> > head if I'm missing something simple and glaringly obvious)
> > 
> > TIA 
> > 
> > Stacey
> > 
> > 
> > 
> > -- 
> > Stacey Roberts
> > B.Sc (HONS) Computer Science
> > 
> > Web: www.vickiandstacey.com
> > 
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
-- 
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com




signature.asc
Description: This is a digitally signed message part

Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security

2002-10-27 Thread Ceri Davies

On Sun, Oct 27, 2002 at 05:18:10PM +, Stacey Roberts wrote:
> Just checked against http://www.pgp.net/wwwkeys.html to verify:
> 
> pub  2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]>
>  Key fingerprint = 04 2E 82 F6 3E 78 25 14  42 84 90 E7 B7 B1 F7 26
> 
> Verbose:
> Public Key Server -- Verbose Index ``0xDC92FBD7 ''
> 
> Type  bits/keyIDDate   User ID
> pub  2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]>
>  Key fingerprint = 04 2E 82 F6 3E 78 25 14  42 84 90 E7 B7 B1 F7 26
> 
> New!  attempt to lookup keyholder on biglumber.com.
> sig  0x10  DC92FBD7 2002-08-03  [selfsig]
> 
> Unless I'm missing something., so do enlighten me, please.

It doesn't verify here either.
I think it's because you haven't added the email address you post from
as an alias.

Ceri
-- 
you can't see when light's so strong
you can't see when light is gone

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

2002-10-27 Thread Stacey Roberts

Just checked against http://www.pgp.net/wwwkeys.html to verify:

pub  2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]>
 Key fingerprint = 04 2E 82 F6 3E 78 25 14  42 84 90 E7 B7 B1 F7 26

Verbose:
Public Key Server -- Verbose Index ``0xDC92FBD7 ''

Type  bits/keyIDDate   User ID
pub  2048R/DC92FBD7 2002-08-03 Stacey Roberts <[EMAIL PROTECTED]>
 Key fingerprint = 04 2E 82 F6 3E 78 25 14  42 84 90 E7 B7 B1 F7 26

New!  attempt to lookup keyholder on biglumber.com.
sig  0x10  DC92FBD7 2002-08-03  [selfsig]


Unless I'm missing something., so do enlighten me, please.

Stacey


On Sun, 2002-10-27 at 17:06, Daniel Harris wrote:
> On Sun, Oct 27, 2002 at 04:48:34PM +, Stacey Roberts wrote:
> -snip-
> 
> Just letting you know that the pgp sig on this message
> did not verify with my gnupg 1.2.1.
> 
> -- 
> Daniel Harris
-- 
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com




signature.asc
Description: This is a digitally signed message part

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

2002-10-27 Thread Stacey Roberts

Hi Ruben,
   Thanks much for the reply - comments inline...,
> > Verifying relevant ipfw rules:
> > # Allow out access to Internet Domain name server
> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> > keep-state 
> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> > keep-state
> 
> This last rule is bogus. From ipfw(8):
> 
>  setup   Matches TCP packets that have the SYN bit set but no ACK bit.
>  This is the short form of ``tcpflags syn,!ack''.
> 
> "setup" is not supposed to work for UDP packets. there is no handshake as 
> in tcp connections.

Okay, I see what you mean about rule 00619 (probably explains why this
rule never appears in ipfw l), and as such, I have three questions based
on rule 00619 being bogus:
1] Is this the reason why I am unable to query root-servers?
2] Do I remove it completely - would ipfw still be secure without it
completely?
3] If not, should I just amend as:

$fwcmd add 00619 allow udp from any to any 53 out via $oif setup
keep-state


Based on ipfw (8):
###
A similar approach can be used for UDP, where an UDP packet coming from
the inside will install a dynamic rule to let the response through the
firewall:
   ipfw add check-state
   ipfw add allow udp from my-subnet to any
   ipfw add deny udp from any to any

$fwcmd add 00619 allow udp from any to any 53 out via $oif setup
keep-state
 CHANGE TO:
$fwcmd add allow udp from any to any 53 out via $oif
$fwcmd add deny udp from any to any 53 in via $oif

I'm basing the above amendments based on:
I have a check-state at rule 00500
>From the make up of my rule-set, I do not have a rule and explicitly
denies udp to port 53 per-se.

More clearly, I have these deny rules in place at the moment:
$ grep -i deny fwrules 
$fwcmd add 00020 deny log ip from me to any in
$fwcmd add 00030 deny log tcp from any to any in tcpflags syn,fin
$fwcmd add 00100 deny udp from any to any 520 in via $oif
$fwcmd add 00502 deny all from any to any frag
$fwcmd add 00501 deny tcp from any to any established
$fwcmd add 00850 deny log ip from me to me in via $oif
$fwcmd add 00860 deny log icmp from any to me icmptype 0,8 in via $oif
$fwcmd add 00900 deny log all from any to any in via $oif
$fwcmd add 00910 deny log logamount 500 ip from any to any
$ 

None of which explicitly applies to DNS. I make this point as there
*are* udp packets I want to allow in via $oif - 137 - 139

Thanks again for the reply Ruben. If I'm not clear enough in my
explanations, I'm quite happy to post my complete rule-set to you
(off-list) if you need it to get a better picture.

Cheers!

Stacey

On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote:
> On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed:
> > Hello,
> >  I don't know if this is related to post earlier today [FBSD 4.7
> > reset itself - lots of "DENY UDP" messages in /var/log/security], but
> > I've been trying to trouble shoot the "DENY" messages in
> > /var/log/security using dig:
> > 
> > # dig . ns @b.root-servers.net
> > 
> > ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
> > ; (1 server found)
> > ;; res options: init recurs defnam dnsrch
> > ;; res_nsend to server b.root-servers.net  128.9.0.107: Connection
> > refused
> > # 
> > I get connection refused for this. Checking security:
> > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381
> > 128.9.0.107:53 out via sis0
> > Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382
> > 128.9.0.107:53 out via sis0
> > # 

> > Checking ipfw rule 910:
> > $fwcmd add 00910 deny log logamount 500 ip from any to any
> > 
> > Why am I not able to query root servers, given my rules 00618 & 00619? 
> > 
> > I'd appreciate someone helping me out here., (or hitting me over the
> > head if I'm missing something simple and glaringly obvious)
> > 
> > TIA 
> > 
> > Stacey
> > 
> > 
> > 
> > -- 
> > Stacey Roberts
> > B.Sc (HONS) Computer Science
> > 
> > Web: www.vickiandstacey.com
> > 
> 
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
-- 
Stacey Roberts
B.Sc (HONS) Computer Science

Web: www.vickiandstacey.com




signature.asc
Description: This is a digitally signed message part

Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security

2002-10-27 Thread Ruben de Groot

On Sun, Oct 27, 2002 at 03:24:07PM +, Stacey Roberts typed:
> Hello,
>  I don't know if this is related to post earlier today [FBSD 4.7
> reset itself - lots of "DENY UDP" messages in /var/log/security], but
> I've been trying to trouble shoot the "DENY" messages in
> /var/log/security using dig:
> 
> # dig . ns @b.root-servers.net
> 
> ; <<>> DiG 8.3 <<>> . ns @b.root-servers.net 
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; res_nsend to server b.root-servers.net  128.9.0.107: Connection
> refused
> # 
> I get connection refused for this. Checking security:
> Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP :1381
> 128.9.0.107:53 out via sis0
> Oct 27 15:16:26 Demon /kernel: ipfw: 910 Deny UDP 1:1382
> 128.9.0.107:53 out via sis0
> # 
> 
> Verifying relevant ipfw rules:
> # Allow out access to Internet Domain name server
> $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup
> keep-state 
> $fwcmd add 00619 allow udp from any to any 53 out via $oif setup
> keep-state

This last rule is bogus. From ipfw(8):

 setup   Matches TCP packets that have the SYN bit set but no ACK bit.
 This is the short form of ``tcpflags syn,!ack''.

"setup" is not supposed to work for UDP packets. there is no handshake as 
in tcp connections.


> 
> Checking ipfw rule 910:
> $fwcmd add 00910 deny log logamount 500 ip from any to any
> 
> Why am I not able to query root servers, given my rules 00618 & 00619? 
> 
> I'd appreciate someone helping me out here., (or hitting me over the
> head if I'm missing something simple and glaringly obvious)
> 
> TIA 
> 
> Stacey
> 
> 
> 
> -- 
> Stacey Roberts
> B.Sc (HONS) Computer Science
> 
> Web: www.vickiandstacey.com
> 

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

res_nmkquery: buffer too small WAS[Re: dig . ns @b.root-servers.net- Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of"DENY UDP" mess]ages in /var/log/security]

Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

Re: dig . ns @b.root-servers.net - Connection refused. WHY?[related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in/var/log/security

Re: dig . ns @b.root-servers.net - Connection refused. WHY? [related to FBSD 4.7 reset itself - lots of "DENY UDP" mess]ages in /var/log/security

8 matches

Site Navigation

Mail list logo

Footer information