IPFW doesn't resolve host names
Dear friends, I have a pentium 4 freebsd 6.1 server connected to my office win-xp lan. The server smoothly runs sshd, postgresql, samba (to connect some /home share and the office win filesystem), vncserver. Recently I added the following IPFW firewall (I'm an absolute beginner with it) which works ** almost correctly **. In fact, I can connect via ssh (putty under winxp), the pg database works, vncserver too, while samba connects to its local windows share but it's unable to connect to the lan filesystem because it is no longer possible to resolve the host names. if I ping a host the answer is invariably ping: cannot resolve matteo: Host name lookup failure even though I defined allow rules for port 53. Could you please help me? ### start of example ipfw rules script # ipfw -q -f flush # Delete all rules # Set defaults oif=fxp0 # out interface # Set defaults gw=10.155.102.6 cmd=ipfw -q add # build rule prefix ks=keep-state# just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established $cmd 00503 allow all from any to any via lo0 $cmd 00505 deny all from any to 127.0.0.0/8 $cmd 00508 deny ip from 127.0.0.0/8 to any $cmd 00600 allow tcp from any to me dst-port 22, 80 via $oif setup $ks $cmd 00601 allow tcp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00602 allow tcp from any to me dst-port 5432, 5900-5909 via $oif setup $ks $cmd 00604 allow udp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks $cmd 00606 allow tcp from any to $gw 1491 $cmd 00607 allow tcp from $gw 1491 to any $cmd 00610 allow tcp from me to any 53 out via $oif $cmd 00611 allow tcp from any 50 to me in via $oif $cmd 00612 allow udp from me to any 53 out via $oif $cmd 00613 allow udp from any 50 to me in via $oif $cmd 00700 allow icmp from any to any via $oif ### End of example ipfw rules script ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW doesn't resolve host names
On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) Vittorio [EMAIL PROTECTED] wrote: Dear friends, I have a pentium 4 freebsd 6.1 server connected to my office win-xp lan. The server smoothly runs sshd, postgresql, samba (to connect some /home share and the office win filesystem), vncserver. Recently I added the following IPFW firewall (I'm an absolute beginner with it) which works ** almost correctly **. In fact, I can connect via ssh (putty under winxp), the pg database works, vncserver too, while samba connects to its local windows share but it's unable to connect to the lan filesystem because it is no longer possible to resolve the host names. if I ping a host the answer is invariably ping: cannot resolve matteo: Host name lookup failure even though I defined allow rules for port 53. You have not, however, allowed replies from your DNS server (s)... Could you please help me? ### start of example ipfw rules script # ipfw -q -f flush # Delete all rules # Set defaults oif=fxp0 # out interface # Set defaults gw=10.155.102.6 cmd=ipfw -q add # build rule prefix ks=keep-state# just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established $cmd 00503 allow all from any to any via lo0 $cmd 00505 deny all from any to 127.0.0.0/8 $cmd 00508 deny ip from 127.0.0.0/8 to any $cmd 00600 allow tcp from any to me dst-port 22, 80 via $oif setup $ks $cmd 00601 allow tcp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00602 allow tcp from any to me dst-port 5432, 5900-5909 via $oif setup $ks $cmd 00604 allow udp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks $cmd 00606 allow tcp from any to $gw 1491 $cmd 00607 allow tcp from $gw 1491 to any $cmd 00610 allow tcp from me to any 53 out via $oif Try replacing this with $cmd 00610 allow tcp from me to any 53 out via $oif $ks. $cmd 00611 allow tcp from any 50 to me in via $oif $cmd 00612 allow udp from me to any 53 out via $oif $cmd 00613 allow udp from any 50 to me in via $oif $cmd 00700 allow icmp from any to any via $oif ### End of example ipfw rules script -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW doesn't resolve host names
On Wed, 20 Sep 2006 20:12:18 +1000 Nick Withers [EMAIL PROTECTED] wrote: On Wed, 20 Sep 2006 11:07:16 +0100 (GMT+01:00) Vittorio [EMAIL PROTECTED] wrote: Dear friends, I have a pentium 4 freebsd 6.1 server connected to my office win-xp lan. The server smoothly runs sshd, postgresql, samba (to connect some /home share and the office win filesystem), vncserver. Recently I added the following IPFW firewall (I'm an absolute beginner with it) which works ** almost correctly **. In fact, I can connect via ssh (putty under winxp), the pg database works, vncserver too, while samba connects to its local windows share but it's unable to connect to the lan filesystem because it is no longer possible to resolve the host names. if I ping a host the answer is invariably ping: cannot resolve matteo: Host name lookup failure even though I defined allow rules for port 53. You have not, however, allowed replies from your DNS server (s)... Could you please help me? ### start of example ipfw rules script # ipfw -q -f flush # Delete all rules # Set defaults oif=fxp0 # out interface # Set defaults gw=10.155.102.6 cmd=ipfw -q add # build rule prefix ks=keep-state# just too lazy to key this each time $cmd 00500 check-state $cmd 00502 deny all from any to any frag $cmd 00501 deny tcp from any to any established You may want to change the ordering of the rules above in the file so that it reads the way it'll be implemented by IPFW (I'm guessing this is an accident, anyway). $cmd 00503 allow all from any to any via lo0 $cmd 00505 deny all from any to 127.0.0.0/8 $cmd 00508 deny ip from 127.0.0.0/8 to any $cmd 00600 allow tcp from any to me dst-port 22, 80 via $oif setup $ks $cmd 00601 allow tcp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00602 allow tcp from any to me dst-port 5432, 5900-5909 via $oif setup $ks $cmd 00604 allow udp from any to me dst-port 81,137,138,139,445 via $oif setup $ks $cmd 00605 allow udp from any to me dst-port 5432, 5900 via $oif setup $ks $cmd 00606 allow tcp from any to $gw 1491 $cmd 00607 allow tcp from $gw 1491 to any $cmd 00610 allow tcp from me to any 53 out via $oif Try replacing this with $cmd 00610 allow tcp from me to any 53 out via $oif $ks. $cmd 00611 allow tcp from any 50 to me in via $oif $cmd 00612 allow udp from me to any 53 out via $oif Sorry... and this with $cmd 00612 allow udp from me to any 53 out via $oif $ks. $cmd 00613 allow udp from any 50 to me in via $oif $cmd 00700 allow icmp from any to any via $oif ### End of example ipfw rules script -- Nick Withers email: [EMAIL PROTECTED] Web: http://www.nickwithers.com Mobile: +61 414 397 446 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
