Firewall Rule Set not allowing access to DNS servers?
From: James A. Coulter (james.coulter_at_cox.net)
Date: 07/30/04
- Previous message: James A. Coulter: "RE: DHCP and the "SIMPLE" option in /etc/rc.firewall"
- Next in thread: JJB: "RE: Firewall Rule Set not allowing access to DNS servers?"
- Reply: JJB: "RE: Firewall Rule Set not allowing access to DNS servers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <freebsd-questions@freebsd.org> Date: Fri, 30 Jul 2004 09:55:53 -0500
I am using FreeBSD 4.10 as a gateway/router for a small home LAN. My
outside interface (dc1) is connected to a cable modem and is configured for
DHCP.
I have compiled and installed a custome kernel with IPFIREWALL and IPDIVERT
options and with a rule set allowing any to any with no problems
I am in the process of adding a proper rule set to provide security. I was
referred to http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and installed
the Stateful + NATD Rule Set modified for my outside interface, domain name
servers, and DHCP server.
I can ping IP addresses and pass SMTP mail back and forth from the
gateway/router and all machines on the LAN, but I cannot ping URLs - I am
getting "ping: cannot resolve www.freebsd.org: Host name lookup failure"
errors.
This is what ipfw -a list looks like:
sara# ipfw -a list
00005 0 0 allow ip from any to any via xl0
00010 52 3640 allow ip from any to any via lo0
00014 0 0 divert 8668 ip from any to any in recv dc1
00015 0 0 check-state
00020 0 0 skipto 800 tcp from any to 68.105.161.20 53 keep-state out
xmit dc1 setup
00021 0 0 skipto 800 tcp from any to 68.1.18.25 53 keep-state out xmit
dc1 setup
00022 0 0 skipto 800 tcp from any to 68.10.16.30 53 keep-state out
xmit dc1 setup
00030 0 0 skipto 800 udp from any to 172.19.17.22 67 keep-state out
xmit dc1
00040 0 0 skipto 800 tcp from any to any 80 keep-state out xmit dc1
setup
00050 0 0 skipto 800 tcp from any to any 443 keep-state out xmit dc1
setup
00060 0 0 skipto 800 tcp from any to any 25 keep-state out xmit dc1
setup
00061 0 0 skipto 800 tcp from any to any 110 keep-state out xmit dc1
setup
00070 0 0 skipto 800 tcp from me to any uid root keep-state out xmit
dc1 setup
00080 0 0 skipto 800 icmp from any to any keep-state out xmit dc1
00090 0 0 skipto 800 tcp from any to any 37 keep-state out xmit dc1
setup
00100 0 0 skipto 800 tcp from any to any 119 keep-state out xmit dc1
setup
00110 0 0 skipto 800 tcp from any to any 22 keep-state out xmit dc1
setup
00120 0 0 skipto 800 tcp from any to any 43 keep-state out xmit dc1
setup
00130 0 0 skipto 800 udp from any to any 123 keep-state out xmit dc1
00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1
00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1
00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1
00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1
00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1
00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1
00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1
00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1
00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1
00315 0 0 deny tcp from any to any 113 in recv dc1
00320 0 0 deny tcp from any to any 137 in recv dc1
00321 0 0 deny tcp from any to any 138 in recv dc1
00322 0 0 deny tcp from any to any 139 in recv dc1
00323 0 0 deny tcp from any to any 81 in recv dc1
00330 0 0 deny ip from any to any in recv dc1 frag
00332 0 0 deny tcp from any to any in recv dc1 established
00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state in recv dc1
00370 0 0 allow tcp from any to me 80 limit src-addr 2 in recv dc1
setup
00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in recv dc1
setup
00380 0 0 allow tcp from any to me 22 limit src-addr 2 in recv dc1
setup
00400 0 0 deny log logamount 10 ip from any to any in recv dc1
00450 81 5288 deny log logamount 10 ip from any to any out xmit dc1
00800 0 0 divert 8668 ip from any to any out xmit dc1
00801 645 59255 allow ip from any to any
00999 0 0 deny log logamount 10 ip from any to any
65535 1 347 deny ip from any to any
This is what my /etc/rc.conf looks like:
hostname="sara.mshome.net"
ifconfig_dc1="DHCP"
ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
moused_enable="YES"
named_enable="YES"
nfs_client_enable="YES"
nfs_reserved_port_only="YES"
nfs_server_enable="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
ntpd_enable="YES"
inetd_enable="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="dc1"
natd_flags="-dynamic"
Finally, this is what /etc/resolv.conf looks like:
sara# more /etc/resolv.conf
search pn.at.cox.net
nameserver 68.105.161.20
nameserver 68.1.18.25
nameserver 68.10.16.30
Any ideas?
Thanks,
Jim C.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: James A. Coulter: "RE: DHCP and the "SIMPLE" option in /etc/rc.firewall"
- Next in thread: JJB: "RE: Firewall Rule Set not allowing access to DNS servers?"
- Reply: JJB: "RE: Firewall Rule Set not allowing access to DNS servers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
