RE: Firewall Rule Set not allowing access to DNS servers?

• Previous message: Bill Moran: "Re: safe mode for kernel.old"
• In reply to: James A. Coulter: "RE: Firewall Rule Set not allowing access to DNS servers?"
• Next in thread: James A. Coulter: "RE: Firewall Rule Set not allowing access to DNS servers?"
• Reply: James A. Coulter: "RE: Firewall Rule Set not allowing access to DNS servers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "James A. Coulter" <james.coulter@cox.net>, <freebsd-questions@freebsd.org>
Date: Sat, 31 Jul 2004 11:27:51 -0400

You better re-read what you posted in early post. You posted that
dc1 is your outside NIC, which is connected to your cable modem
which is connected to your ISP. Your outside NIC needs DHCP to get
ip and dns info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE
NAME. Make up your mind which is correct.

Verify you have correct interface name coded in ipfw rules for NIC
connected to cable modem and that the same NIC interface name is the
one in rc.conf with DHCP option. When DHCP gets DNS info from ISP
/etc/resolv.conf will auto updated with correct info. Read comments
in sample firewall source and follow what comments say. You are
making this harder than it really is.

Also there is no setup option on UDP packets just keepstate

Post full contents of your current dmesg.boot, rc.conf, ipfw rule
set, and ipfw log files so people can see just want you have
configured. And answer question of how you are assigning ip address
to LAN PCs? Also post output of ifconfig -a command after boot
completes.

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of James A.
Coulter
Sent: Saturday, July 31, 2004 9:55 AM
To: freebsd-questions@freebsd.org
Cc: Barbish3@adelphia.net
Subject: RE: Firewall Rule Set not allowing access to DNS servers?

Thanks for the response. . .

I changed rule 00005 from x10 to dc0 - thanks

Not sure why I would want my inside nic requesting DHCP service from
my ISP.
It has been working fine in the configuration I have it so I've left
it the
way it is.

I checked the security log, and found this:

Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609
68.105.161.20:53 out via dc1
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:4067
68.1.18.25:53 out via dc1
Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773
68.10.16.30:53 out via dc1

These are the three name servers specified in the rule set

I checked the rule set and found this:

# Allow out access to my ISP's Domain name server.
# x.x.x.x must be the IP address of your ISP's DNS
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
$cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip tcp from any to 68.1.18.25 53 out via $pif setup
keep-state
$cmd 022 $skip tcp from any to 68.10.16.30 53 out via $pif setup
keep-state

Because security said the firewall was denying UDP packets, I
changed the
rules to this:

$cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup
keep-state
$cmd 021 $skip udp from any to 68.1.18.25 53 out via $pif setup
keep-state
$cmd 022 $skip udp from any to 68.10.16.30 53 out via $pif setup
keep-state

But that hasn't helped. I'm still getting:

Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178
68.105.161.20:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4476
68.1.18.25:53 out via dc1
Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
68.10.16.30:53 out via dc1

FWIW, these rules are skipping to:

# This is skipto location for outbound stateful rules
$cmd 800 divert natd ip from any to any out via $pif
$cmd 801 allow ip from any to any

I apologize for being such a bother and I do appreciate any help or
suggestions.

TIA

Jim C.

> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of JJB
> Sent: Friday, July 30, 2004 1:20 PM
> To: James A. Coulter; freebsd-questions@freebsd.org
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>
>
> Change this ipfw rule from
>
> 00005 allow ip from any to any via xl0
>
> To
> 00005 allow ip from any to any via dc0
>
> because dc0 is the lan interface name and not xl0.
>
>
> Change these statement in rc.conf because you have interface
> name backwards. Dc1 is the NIC connected to your cable modem
> and you want to get DHCP info from your ISP. Dc0 is the NIC
> connected to your LAN.
>
> From
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
>
> to
> ifconfig_dc0="DHCP"
> ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"
>
>
> You do not say how your LAN PCs get their ip address.
> You can hard code them on each LAN PC
> or you have to run isc-dhcp-server on your Gateway box to
> auto assign ip address to LAN PCs.
>
>
>
>
>
>
>
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of
> James A. Coulter
> Sent: Friday, July 30, 2004 10:56 AM
> To: freebsd-questions@freebsd.org
> Subject: Firewall Rule Set not allowing access to DNS servers?
>
> I am using FreeBSD 4.10 as a gateway/router for a small home
> LAN. My outside interface (dc1) is connected to a cable modem
> and is configured for DHCP.
>
> I have compiled and installed a custome kernel with
> IPFIREWALL and IPDIVERT options and with a rule set allowing
> any to any with no problems
>
> I am in the process of adding a proper rule set to provide
> security. I was referred to
> http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and
> installed the Stateful + NATD Rule Set modified for my
> outside interface, domain name servers, and DHCP server.
>
> I can ping IP addresses and pass SMTP mail back and forth
> from the gateway/router and all machines on the LAN, but I
> cannot ping URLs - I am getting "ping: cannot resolve
> www.freebsd.org: Host name lookup failure" errors.
>
>
> This is what ipfw -a list looks like:
>
> sara# ipfw -a list
> 00005 0 0 allow ip from any to any via xl0
> 00010 52 3640 allow ip from any to any via lo0
> 00014 0 0 divert 8668 ip from any to any in recv dc1
> 00015 0 0 check-state
> 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53
> keep-state out
> xmit dc1 setup
> 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53
keep-state
> out xmit
> dc1 setup
> 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53
keep-state
> out
> xmit dc1 setup
> 00030 0 0 skipto 800 udp from any to 172.19.17.22 67
> keep-state out
> xmit dc1
> 00040 0 0 skipto 800 tcp from any to any 80 keep-state out
> xmit dc1
> setup
> 00050 0 0 skipto 800 tcp from any to any 443 keep-state out
> xmit dc1
> setup
> 00060 0 0 skipto 800 tcp from any to any 25 keep-state out
> xmit dc1
> setup
> 00061 0 0 skipto 800 tcp from any to any 110 keep-state out
> xmit dc1
> setup
> 00070 0 0 skipto 800 tcp from me to any uid root keep-state
> out xmit
> dc1 setup
> 00080 0 0 skipto 800 icmp from any to any keep-state out
xmit
> dc1
> 00090 0 0 skipto 800 tcp from any to any 37 keep-state out
> xmit dc1
> setup
> 00100 0 0 skipto 800 tcp from any to any 119 keep-state out
> xmit dc1
> setup
> 00110 0 0 skipto 800 tcp from any to any 22 keep-state out
> xmit dc1
> setup
> 00120 0 0 skipto 800 tcp from any to any 43 keep-state out
> xmit dc1
> setup
> 00130 0 0 skipto 800 udp from any to any 123 keep-state out
> xmit dc1
> 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1
> 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1
> 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1
> 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1
> 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1
> 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1
> 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1
> 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1
> 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1
> 00315 0 0 deny tcp from any to any 113 in recv dc1
> 00320 0 0 deny tcp from any to any 137 in recv dc1
> 00321 0 0 deny tcp from any to any 138 in recv dc1
> 00322 0 0 deny tcp from any to any 139 in recv dc1
> 00323 0 0 deny tcp from any to any 81 in recv dc1
> 00330 0 0 deny ip from any to any in recv dc1 frag
> 00332 0 0 deny tcp from any to any in recv dc1 established
> 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state
in
> recv dc1
> 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in
recv
> dc1
> setup
> 00370 0 0 allow tcp from any to me 8888 limit src-addr 2 in
> recv dc1
> setup
> 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in
recv
> dc1
> setup
> 00400 0 0 deny log logamount 10 ip from any to any in recv
dc1
> 00450 81 5288 deny log logamount 10 ip from any to any out xmit
dc1
> 00800 0 0 divert 8668 ip from any to any out xmit dc1
> 00801 645 59255 allow ip from any to any
> 00999 0 0 deny log logamount 10 ip from any to any
> 65535 1 347 deny ip from any to any
> This is what my /etc/rc.conf looks like:
>
> hostname="sara.mshome.net"
> ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> firewall_enable="YES" firewall_script="/etc/ipfw.rules"
> firewall_logging="YES" kern_securelevel_enable="NO"
> linux_enable="YES" moused_enable="YES" named_enable="YES"
> nfs_client_enable="YES" nfs_reserved_port_only="YES"
> nfs_server_enable="YES" sendmail_enable="YES"
> sshd_enable="YES" usbd_enable="YES" ntpd_enable="YES"
> inetd_enable="YES" gateway_enable="YES" natd_enable="YES"
> natd_interface="dc1" natd_flags="-dynamic"
>
> Finally, this is what /etc/resolv.conf looks like:
>
> sara# more /etc/resolv.conf
> search pn.at.cox.net
> nameserver 68.105.161.20
> nameserver 68.1.18.25
> nameserver 68.10.16.30
>
> Any ideas?
>
> Thanks,
>
> Jim C.
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Bill Moran: "Re: safe mode for kernel.old"
• In reply to: James A. Coulter: "RE: Firewall Rule Set not allowing access to DNS servers?"
• Next in thread: James A. Coulter: "RE: Firewall Rule Set not allowing access to DNS servers?"
• Reply: James A. Coulter: "RE: Firewall Rule Set not allowing access to DNS servers?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: unable to resolve domain name ... The setup of DC1 was done before I was to hire to clean the mess. ... Nslookup is unable to login to the ... > your ISP's DNS anywhere except as a forwarder. ... (microsoft.public.win2000.dns) Firewall Rule Set not allowing access to DNS servers? ... I am using FreeBSD 4.10 as a gateway/router for a small home LAN. ... the Stateful + NATD Rule Set modified for my outside interface, ... xmit dc1 setup ... (freebsd-questions) RE: Domain comtroller crashed ... domain controller, lets call it DC2. ... DC1 crashed and I ... directory setup was not gonna work. ... (microsoft.public.windows.server.active_directory) Domain comtroller crashed ... domain controller, lets call it DC2. ... DC1 crashed and I ... directory setup was not gonna work. ... (microsoft.public.windows.server.active_directory) RE: Firewall Rule Set not allowing access to DNS servers? ... Not sure why I would want my inside nic requesting DHCP service from my ISP. ... These are the three name servers specified in the rule set ... > xmit dc1 setup ... (freebsd-questions)