RE: Firewall Rule Set not allowing access to DNS servers?
From: James A. Coulter (james.coulter_at_cox.net)
Date: 08/01/04
- Previous message: Bill Moran: "Re: Newbie Problems with cvsup and updating files."
- Maybe in reply to: JJB: "RE: Firewall Rule Set not allowing access to DNS servers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <freebsd-questions@freebsd.org> Date: Sun, 1 Aug 2004 07:58:54 -0500
I changed the DNS rules as you suggested, and the firewall works perfectly -
thanks very much.
This has been a great learning experience for me - thanks to all who
responded.
Jim C
> -----Original Message-----
> From: JJB [mailto:Barbish3@adelphia.net]
> Sent: Saturday, July 31, 2004 1:08 PM
> To: James A. Coulter; freebsd-questions@freebsd.org
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>
>
> Look back at the ipfw sample rule set and you will see that
> there are both udp and tcp protocol access to DSN. Also not
> that udp does not use setup keyword.
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif
> setup keep-state $cmd 00111 allow udp from any to x.x.x.x 53
> out via $pif keep-state
>
> You DNS rules are
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif
> setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53
> out via $pif setup keep-state $cmd 022 $skip UDP from any to
> 68.10.16.30 53 out via $pif setup keep-state
>
> As you can see you have no tcp protocol statements.
> Your udp rules use setup keyword which is only for tcp rules
> so your udp packets never match this rule and default to
> getting blocked which is why you get log error messages and
> you can not access public internet.
>
> Also if you look closely at the first 4 ipfw log messages you
> will see first message is about ip address 193.0.14.129 which is the
> primary dns server pointed to by url search pn.at.cox.net in
> /etc/resolv.conf
>
> Change your DNS rules to look like this
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip udp from any to 193.0.14.129 53 out via $pif
> keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out
> via $pif keep-state $cmd 022 $skip udp from any to
> 68.10.16.30 53 out via $pif keep-state $cmd 023 $skip udp
> from any to 68.105.161.20 53 out via $pif keep-state $cmd 024
> $skip tcp from any to 193.0.14.129 53 out via $pif setup
> keep-state $cmd 025 $skip tcp from any to 68.1.18.25 53 out
> via $pif setup keep-state $cmd 026 $skip tcp from any to
> 68.10.16.30 53 out via $pif setup keep-state $cmd 027 $skip
> tcp from any to 68.105.161.20 53 out via $pif setup keep-state
>
> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of
> James A. Coulter
> Sent: Saturday, July 31, 2004 1:09 PM
> To: Barbish3@adelphia.net; freebsd-questions@freebsd.org
> Subject: RE: Firewall Rule Set not allowing access to DNS servers?
>
> My LAN is configured with static IP addresses, 192.168.1.x.
>
> I have no problems communicating within the LAN.
>
> I have full connectivity with the internet from every machine
> on my LAN when the firewall is open.
>
> When I use the rule set in question, I can ping and send mail
> but I cannot access the DNS servers listed in resolv.conf.
>
> These are the same DNS servers placed in resolv.conf when the
> firewall is open.
>
> I'm sorry, but I never said dc1 was my inside nic.
>
> Again, I appreciate any help with this. The files you
> requested follow.
>
> Here's my ifconfig - a:
>
> sara# ifconfig -a
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> inet6 fe80::204:5aff:fe76:55f0%dc0 prefixlen 64 scopeid 0x1
> ether 00:04:5a:76:55:f0
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> dc1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet6 fe80::2a0:ccff:fe33:e1f6%dc1 prefixlen 64 scopeid 0x2
> inet 68.105.58.150 netmask 0xfffffe00 broadcast 68.105.59.255
> ether 00:a0:cc:33:e1:f6
> media: Ethernet autoselect (100baseTX <full-duplex>)
> status: active
> lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
> faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
>
> Here's resolv.conf:
>
> sara# more /etc/resolv.conf
> search pn.at.cox.net
> nameserver 68.105.161.20
> nameserver 68.1.18.25
> nameserver 68.10.16.30
>
> Here's the entire rule set I'm trying to use.
>
> I did follow the comments.
>
> Please note the variable pif is set to dc1, my outside nic.
>
> ################ Start of IPFW rules file
> ############################### # Flush out the list before
> we begin. ipfw -q -f flush # Set rules command prefix
> cmd="ipfw -q add" skip="skipto 800"
> pif="dc1" # public interface name of Nic card
> # facing the public internet
>
>
>
> #################################################################
> # No restrictions on Inside Lan Interface for private network
> # Change xl0 to your Lan Nic card interface name
> #################################################################
> $cmd 005 allow all from any to any via dc0
>
> #################################################################
> # No restrictions on Loopback Interface
> #################################################################
> $cmd 010 allow all from any to any via lo0
>
> #################################################################
> # check if packet is inbound and nat address if it is
> #################################################################
> $cmd 014 divert natd ip from any to any in via $pif
>
> #################################################################
> # Allow the packet through if it has previous been added to
> the # the "dynamic" rules table by a allow keep-state
> statement.
> #################################################################
> $cmd 015 check-state
>
> #################################################################
> # Interface facing Public internet (Outbound Section)
> # Interrogate session start requests originating from behind
> the # firewall on the private network or from this gateway
> server # destine for the public internet.
> #################################################################
>
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip UDP from any to 68.105.161.20 53 out via $pif
> setup keep-state $cmd 021 $skip UDP from any to 68.1.18.25 53
> out via $pif setup keep-state $cmd 022 $skip UDP from any to
> 68.10.16.30 53 out via $pif setup keep-state
>
> # Allow out access to my ISP's DHCP server for cable/DSL
> configurations. $cmd 030 $skip udp from any to 172.19.17.22
> 67 out via $pif keep-state
>
> # Allow out non-secure standard www function
> $cmd 040 $skip tcp from any to any 80 out via $pif setup keep-state
>
> # Allow out secure www function https over TLS SSL
> $cmd 050 $skip tcp from any to any 443 out via $pif setup keep-state
>
> # Allow out send & get email function
> $cmd 060 $skip tcp from any to any 25 out via $pif setup
> keep-state $cmd 061 $skip tcp from any to any 110 out via
> $pif setup keep-state
>
> # Allow out FBSD (make install & CVSUP) functions
> # Basically give user root "GOD" privileges.
> $cmd 070 $skip tcp from me to any out via $pif setup
> keep-state uid root
>
> # Allow out ping
> $cmd 080 $skip icmp from any to any out via $pif keep-state
>
> # Allow out Time
> $cmd 090 $skip tcp from any to any 37 out via $pif setup keep-state
>
> # Allow out nntp news (IE: news groups)
> $cmd 100 $skip tcp from any to any 119 out via $pif setup keep-state
>
> # Allow out secure FTP, Telnet, and SCP
> # This function is using SSH (secure shell)
> $cmd 110 $skip tcp from any to any 22 out via $pif setup keep-state
>
> # Allow out whois
> $cmd 120 $skip tcp from any to any 43 out via $pif setup keep-state
>
> # Allow ntp time server
> $cmd 130 $skip udp from any to any 123 out via $pif keep-state
>
> #################################################################
> # Interface facing Public internet (Inbound Section)
> # Interrogate packets originating from the public internet
> # destine for this gateway server or the private network.
> #################################################################
>
> # Deny all inbound traffic from non-routable reserved address
> spaces $cmd 300 deny all from 192.168.0.0/16 to any in via
> $pif #RFC 1918 private IP
> $cmd 301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918
> private
> IP
> $cmd 302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918
> private
> IP
> $cmd 303 deny all from 127.0.0.0/8 to any in via $pif #loopback
> $cmd 304 deny all from 0.0.0.0/8 to any in via $pif #loopback
> $cmd 305 deny all from 169.254.0.0/16 to any in via $pif
> #DHCP auto-config
> $cmd 306 deny all from 192.0.2.0/24 to any in via $pif #reserved
> for
> doc's
> $cmd 307 deny all from 204.152.64.0/23 to any in via $pif
> #Sun cluster
> $cmd 308 deny all from 224.0.0.0/3 to any in via $pif #Class D
> & E
> multicast
>
> # Deny ident
> $cmd 315 deny tcp from any to any 113 in via $pif
>
> # Deny all Netbios service. 137=name, 138=datagram,
> 139=session # Netbios is MS/Windows sharing services. # Block
> MS/Windows hosts2 name server requests 81 $cmd 320 deny tcp
> from any to any 137 in via $pif $cmd 321 deny tcp from any to
> any 138 in via $pif $cmd 322 deny tcp from any to any 139 in
> via $pif $cmd 323 deny tcp from any to any 81 in via $pif
>
> # Deny any late arriving packets
> $cmd 330 deny all from any to any frag in via $pif
>
> # Deny ACK packets that did not match the dynamic rule table
> $cmd 332 deny tcp from any to any established in via $pif
>
> # Allow traffic in from ISP's DHCP server. This rule must
> contain # the IP address of your ISP's DHCP server as it's
> the only # authorized source to send this packet type. # Only
> necessary for cable or DSL configurations. # This rule is not
> needed for 'user ppp' type connection to # the public
> internet. This is the same IP address you captured # and used
> in the outbound section. $cmd 360 allow udp from 172.19.17.22
> to any 68 in via $pif keep-state
>
> # Allow in standard www function because I have apache server
> $cmd 370 allow tcp from any to me 80 in via $pif setup limit
> src-addr 2 $cmd 370 allow tcp from any to me 8888 in via $pif
> setup limit src-addr 2
>
> # Allow in secure FTP, Telnet, and SCP from public Internet
> $cmd 380 allow tcp from any to me 22 in via $pif setup limit
> src-addr 2
>
> # Allow in non-secure Telnet session from public Internet
> # labeled non-secure because ID & PW are passed over public
> # internet as clear text.
> # Delete this sample group if you do not have telnet server
> enabled. # $cmd 390 allow tcp from any to me 23 in via $pif
> setup limit src-addr 2
>
> # Reject & Log all unauthorized incoming connections from the
> public internet $cmd 500 deny log all from any to any in via $pif
>
> # Reject & Log all unauthorized out going connections to the
> public internet
>
> $cmd 550 deny log all from any to any out via $pif
>
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> $cmd 801 allow ip from any to any
>
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they
> are $cmd 999 deny log all from any to any
>
>
> ################ End of IPFW rules file
> ###############################
>
> Here's all of today's security ouput:
>
> Jul 31 07:50:36 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:1649 193.0.14.129:53 out via dc1 Jul 31
> 07:50:37 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2671
> 68.105.161.20:53 out via dc1 Jul 31 07:50:37 sara /kernel:
> ipfw: 550 Deny UDP 68.105.58.150:1042 68.1.18.25:53 out via
> dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:4365 68.10.16.30:53 out via dc1 Jul 31 07:50:37
> sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2365
> 68.105.161.20:53 out via dc1 Jul 31 07:50:37 sara /kernel:
> ipfw: 550 Deny UDP 68.105.58.150:4325 68.1.18.25:53 out via
> dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:3378 68.10.16.30:53 out via dc1 Jul 31 07:50:37
> sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2952
> 68.105.161.20:53 out via dc1 Jul 31 07:50:37 sara /kernel:
> ipfw: 550 Deny UDP 68.105.58.150:1359 68.1.18.25:53 out via
> dc1 Jul 31 07:50:37 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:4738 68.10.16.30:53 out via dc1 Jul 31 07:50:37
> sara /kernel: ipfw: limit 10 reached on entry 550 Jul 31
> 07:51:42 sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3860
> 68.105.58.150:21 in via dc1 Jul 31 07:51:51 sara last message
> repeated 2 times Jul 31 07:53:15 sara /kernel: ipfw: 500 Deny
> TCP 81.56.103.50:3875 68.105.58.150:21 in via dc1 Jul 31
> 07:53:24 sara last message repeated 2 times Jul 31 07:53:32
> sara /kernel: ipfw: 500 Deny TCP 81.56.103.50:3878
> 68.105.58.150:21 in via dc1 Jul 31 07:53:41 sara last message
> repeated 2 times Jul 31 07:53:44 sara /kernel: ipfw: 500 Deny
> TCP 81.56.103.50:3881 68.105.58.150:21 in via dc1 Jul 31
> 07:53:44 sara /kernel: ipfw: limit 10 reached on entry 500
> Jul 31 08:13:35 sara /kernel: ipfw: 65000 Deny UDP
> 68.1.18.25:53 192.168.1.102:3232 in via dc1 Jul 31 08:13:35
> sara /kernel: ipfw: 65000 Deny UDP 68.105.161.20:53
> 192.168.1.102:3232 in via dc1 Jul 31 08:14:33 sara /kernel:
> ipfw: 65000 Deny UDP 10.2.184.1:67 255.255.255.255:68 in via
> dc1 Jul 31 08:15:28 sara last message repeated 2 times Jul 31
> 08:15:47 sara last message repeated 5 times Jul 31 08:15:47
> sara /kernel: ipfw: limit 10 reached on entry 65000 Jul 31
> 08:31:20 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3534
> 198.41.0.4:53 out via dc1 Jul 31 08:31:21 sara /kernel: ipfw:
> 550 Deny UDP 68.105.58.150:3178 68.105.161.20:53 out via dc1
> Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul 31 08:31:21
> sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
> 68.10.16.30:53 out via dc1 Jul 31 08:31:21 sara /kernel:
> ipfw: 550 Deny UDP 68.105.58.150:4952 68.105.161.20:53 out
> via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:2260 68.1.18.25:53 out via dc1 Jul 31 08:31:21
> sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4087
> 68.10.16.30:53 out via dc1 Jul 31 08:31:21 sara /kernel:
> ipfw: 550 Deny UDP 68.105.58.150:4914 68.105.161.20:53 out
> via dc1 Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP
> 68.105.58.150:1849 68.1.18.25:53 out via dc1 Jul 31 08:31:21
> sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:2220
> 68.10.16.30:53 out via dc1 Jul 31 08:31:21 sara /kernel:
> ipfw: limit 10 reached on entry 550
>
> Here's rc.conf again:
>
> # -- sysinstall generated deltas --
> # Sun Jul 4 10:40:48 2004
> # Created: Sun Jul 4 10:40:48 2004
> # Enable network daemons for user convenience.
> # Please make all changes to this file, not to
> /etc/defaults/rc.conf. # This file now contains just the
> overrides from /etc/defaults/rc.conf.
> hostname="sara.mshome.net" ifconfig_dc1="DHCP"
> ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> firewall_enable="YES" firewall_script="/etc/ipfw.rules"
> firewall_logging="YES" kern_securelevel_enable="NO"
> linux_enable="YES" moused_enable="YES" named_enable="YES"
> nfs_client_enable="YES" nfs_reserved_port_only="YES"
> nfs_server_enable="YES" sendmail_enable="YES"
> sshd_enable="YES" usbd_enable="YES" ntpd_enable="YES"
> inetd_enable="YES" gateway_enable="YES" natd_enable="YES"
> natd_interface="dc1" natd_flags="-dynamic"
>
> Here's dmesg.boot:
>
> Copyright (c) 1992-2004 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992,
> 1993, 1994
> The Regents of the University of California. All
> rights reserved. FreeBSD 4.10-RELEASE #8: Fri Jul 30 07:19:43 CDT 2004
> jcoulter@sara.mshome.net:/usr/obj/usr/src/sys/SARA
> Timecounter "i8254" frequency 1193182 Hz
> CPU: Intel Celeron (634.78-MHz 686-class CPU)
> Origin = "GenuineIntel" Id = 0x686 Stepping = 6
>
> Features=0x383f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,M
> CA,CMOV,
> PAT,PSE36,MMX,FXSR,SSE>
> real memory = 134201344 (131056K bytes)
> avail memory = 127057920 (124080K bytes)
> Preloaded elf kernel "kernel" at 0xc0381000.
> Pentium Pro MTRR support enabled
> md0: Malloc disk
> Using $PIR table, 8 entries at 0xc00f0e80
> npx0: <math processor> on motherboard
> npx0: INT 16 interface
> pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard
> pci0: <PCI bus> on pcib0
> agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem
> 0xe4000000-0xe7ffffff at device 0.0 on pci0
> pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at
> device 1.0 on pci0
> pci1: <PCI bus> on pcib1
> pci1: <ATI Mach64-GB graphics accelerator> at 0.0 irq 11
> isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0
> isa0: <ISA bus> on isab0
> atapci0: <Intel PIIX4 ATA33 controller> port 0xb800-0xb80f at
> device 4.1 on pci0
> ata0: at 0x1f0 irq 14 on atapci0
> ata1: at 0x170 irq 15 on atapci0
> uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port
> 0xb400-0xb41f irq 9 at device 4.2 on pci0
> usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
> usb0: USB revision 1.0
> uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> chip0: <Intel 82371AB Power management controller> port
> 0xe800-0xe80f at device 4.3 on pci0
> dc0: <ADMtek AN985 10/100BaseTX> port 0xb000-0xb0ff mem
> 0xe1000000-0xe10003ff irq 12 at device 10.0 on pci0
> dc0: Ethernet address: 00:04:5a:76:55:f0
> miibus0: <MII bus> on dc0
> ukphy0: <Generic IEEE 802.3u media interface> on miibus0
> ukphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> dc1: <LC82C115 PNIC II 10/100BaseTX> port 0xa800-0xa8ff mem
> 0xe0800000-0xe08000ff irq 10 at device 11.0 on pci0
> dc1: Ethernet address: 00:a0:cc:33:e1:f6
> miibus1: <MII bus> on dc1
> dcphy0: <Intel 21143 NWAY media interface> on miibus1
> dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
> isa0: too many dependant configs (8)
> isa0: unexpected small tag 14
> orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
> pmtimer0 on isa0
> fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6
> drq 2 on isa0
> fdc0: FIFO enabled, 8 bytes threshold
> fd0: <1440-KB 3.5" drive> on fdc0 drive 0
> atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
> atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
> kbd0 at atkbd0
> vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem
> 0xa0000-0xbffff on isa0
> sc0: <System console> at flags 0x100 on isa0
> sc0: VGA <16 virtual consoles, flags=0x300>
> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
> sio0: type 16550A
> sio1 at port 0x2f8-0x2ff irq 3 on isa0
> sio1: type 16550A
> ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
> ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
> ppc0: FIFO with 16/16/9 bytes threshold
> plip0: <PLIP network interface> on ppbus0
> lpt0: <Printer> on ppbus0
> lpt0: Interrupt-driven port
> ppi0: <Parallel I/O> on ppbus0
> IP packet filtering initialized, divert enabled, rule-based
> forwarding enabled, default to deny, logging limited to 10
> packets/entry by default
> ad0: DMA limited to UDMA33, non-ATA66 cable or device
> ad0: 19623MB <IBM-DTLA-305020> [39870/16/63] at ata0-master UDMA33
> acd0: CDROM <SONY CD-ROM CDU4821> at ata0-slave PIO4
> Mounting root from ufs:/dev/ad0s1a
>
> Thanks,
>
> Jim C.
>
>
>
> > -----Original Message-----
> > From: JJB [mailto:Barbish3@adelphia.net]
> > Sent: Saturday, July 31, 2004 10:28 AM
> > To: James A. Coulter; freebsd-questions@freebsd.org
> > Subject: RE: Firewall Rule Set not allowing access to DNS servers?
> >
> >
> > You better re-read what you posted in early post. You
> posted that dc1
> > is your outside NIC, which is connected to your cable modem
> which is
> > connected to your ISP. Your outside NIC needs DHCP to get
> ip and dns
> > info from your ISP. NOW YOU SAY dc1 IS INSIDE INTERFACE
> NAME. Make up
> > your mind which is correct.
> >
> > Verify you have correct interface name coded in ipfw rules for NIC
> > connected to cable modem and that the same NIC interface
> name is the
> > one in rc.conf with DHCP option. When DHCP gets DNS info from ISP
> > /etc/resolv.conf will auto updated with correct info. Read
> comments in
> > sample firewall source and follow what comments say. You
> are making
> > this harder than it really is.
> >
> > Also there is no setup option on UDP packets just keepstate
> >
> > Post full contents of your current dmesg.boot, rc.conf, ipfw rule
> > set, and ipfw log files so people can see just want you have
> > configured. And answer question of how you are assigning
> ip address
> > to LAN PCs? Also post output of ifconfig -a command after boot
> > completes.
> >
> >
> > -----Original Message-----
> > From: owner-freebsd-questions@freebsd.org
> > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of James A.
> > Coulter
> > Sent: Saturday, July 31, 2004 9:55 AM
> > To: freebsd-questions@freebsd.org
> > Cc: Barbish3@adelphia.net
> > Subject: RE: Firewall Rule Set not allowing access to DNS servers?
> >
> > Thanks for the response. . .
> >
> > I changed rule 00005 from x10 to dc0 - thanks
> >
> > Not sure why I would want my inside nic requesting DHCP
> service from
> > my ISP. It has been working fine in the configuration I have it so
> > I've left it the way it is.
> >
> > I checked the security log, and found this:
> >
> > Jul 30 08:58:37 sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:2609
> > 68.105.161.20:53 out via dc1 Jul 30 08:58:37 sara /kernel:
> ipfw: 450
> > Deny UDP 68.105.58.150:4067 68.1.18.25:53 out via dc1 Jul
> 30 08:58:37
> > sara /kernel: ipfw: 450 Deny UDP 68.105.58.150:3773
> 68.10.16.30:53 out
> > via dc1
> >
> > These are the three name servers specified in the rule set
> >
> > I checked the rule set and found this:
> >
> > # Allow out access to my ISP's Domain name server.
> > # x.x.x.x must be the IP address of your ISP's DNS
> > # Dup these lines if your ISP has more than one DNS server
> > # Get the IP addresses from /etc/resolv.conf file
> > $cmd 020 $skip tcp from any to 68.105.161.20 53 out via $pif setup
> > keep-state $cmd 021 $skip tcp from any to 68.1.18.25 53 out
> via $pif
> > setup keep-state $cmd 022 $skip tcp from any to 68.10.16.30
> 53 out via
> > $pif setup keep-state
> >
> > Because security said the firewall was denying UDP packets,
> I changed
> > the rules to this:
> >
> > $cmd 020 $skip udp from any to 68.105.161.20 53 out via $pif setup
> > keep-state $cmd 021 $skip udp from any to 68.1.18.25 53 out
> via $pif
> > setup keep-state $cmd 022 $skip udp from any to 68.10.16.30
> 53 out via
> > $pif setup keep-state
> >
> > But that hasn't helped. I'm still getting:
> >
> > Jul 31 08:31:21 sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:3178
> > 68.105.161.20:53 out via dc1 Jul 31 08:31:21 sara /kernel:
> ipfw: 550
> > Deny UDP 68.105.58.150:4476 68.1.18.25:53 out via dc1 Jul
> 31 08:31:21
> > sara /kernel: ipfw: 550 Deny UDP 68.105.58.150:4747
> 68.10.16.30:53 out
> > via dc1
> >
> > FWIW, these rules are skipping to:
> >
> > # This is skipto location for outbound stateful rules
> > $cmd 800 divert natd ip from any to any out via $pif
> > $cmd 801 allow ip from any to any
> >
> > I apologize for being such a bother and I do appreciate any help or
> > suggestions.
> >
> > TIA
> >
> > Jim C.
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-freebsd-questions@freebsd.org
> > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of JJB
> > > Sent: Friday, July 30, 2004 1:20 PM
> > > To: James A. Coulter; freebsd-questions@freebsd.org
> > > Subject: RE: Firewall Rule Set not allowing access to DNS
> servers?
> > >
> > >
> > > Change this ipfw rule from
> > >
> > > 00005 allow ip from any to any via xl0
> > >
> > > To
> > > 00005 allow ip from any to any via dc0
> > >
> > > because dc0 is the lan interface name and not xl0.
> > >
> > >
> > > Change these statement in rc.conf because you have interface
> name
> > > backwards. Dc1 is the NIC connected to your cable modem and
> > you want
> > > to get DHCP info from your ISP. Dc0 is the NIC connected to
> > your LAN.
> > >
> > > From
> > > ifconfig_dc1="DHCP"
> > > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> > >
> > > to
> > > ifconfig_dc0="DHCP"
> > > ifconfig_dc1="inet 192.168.1.1 netmask 255.255.255.0"
> > >
> > >
> > > You do not say how your LAN PCs get their ip address.
> > > You can hard code them on each LAN PC
> > > or you have to run isc-dhcp-server on your Gateway box to
> > auto assign
> > > ip address to LAN PCs.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: owner-freebsd-questions@freebsd.org
> > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of James
> A.
> > > Coulter
> > > Sent: Friday, July 30, 2004 10:56 AM
> > > To: freebsd-questions@freebsd.org
> > > Subject: Firewall Rule Set not allowing access to DNS servers?
> > >
> > > I am using FreeBSD 4.10 as a gateway/router for a small
> > home LAN. My
> > > outside interface (dc1) is connected to a cable modem and is
> > > configured for DHCP.
> > >
> > > I have compiled and installed a custome kernel with IPFIREWALL
> and
> > > IPDIVERT options and with a rule set allowing any to any with no
> > > problems
> > >
> > > I am in the process of adding a proper rule set to provide
> > security. I
> > > was referred to
> > http://freebsd.a1poweruser.com:6088/FBSD_firewall/ and
> > > installed the Stateful + NATD Rule Set modified for my outside
> > > interface, domain name servers, and DHCP server.
> > >
> > > I can ping IP addresses and pass SMTP mail back and forth from
> the
> > > gateway/router and all machines on the LAN, but I cannot
> > ping URLs - I
> > > am getting "ping: cannot resolve
> > > www.freebsd.org: Host name lookup failure" errors.
> > >
> > >
> > > This is what ipfw -a list looks like:
> > >
> > > sara# ipfw -a list
> > > 00005 0 0 allow ip from any to any via xl0
> > > 00010 52 3640 allow ip from any to any via lo0
> > > 00014 0 0 divert 8668 ip from any to any in recv dc1
> > > 00015 0 0 check-state
> > > 00020 0 0 skipto 800 tcp from any to 68.105.161.20 53
> > > keep-state out
> > > xmit dc1 setup
> > > 00021 0 0 skipto 800 tcp from any to 68.1.18.25 53
> > keep-state
> > > out xmit
> > > dc1 setup
> > > 00022 0 0 skipto 800 tcp from any to 68.10.16.30 53
> > keep-state
> > > out
> > > xmit dc1 setup
> > > 00030 0 0 skipto 800 udp from any to 172.19.17.22 67
> > > keep-state out
> > > xmit dc1
> > > 00040 0 0 skipto 800 tcp from any to any 80 keep-state out
> > > xmit dc1
> > > setup
> > > 00050 0 0 skipto 800 tcp from any to any 443 keep-state
> out
> > > xmit dc1
> > > setup
> > > 00060 0 0 skipto 800 tcp from any to any 25 keep-state out
> > > xmit dc1
> > > setup
> > > 00061 0 0 skipto 800 tcp from any to any 110 keep-state
> out
> > > xmit dc1
> > > setup
> > > 00070 0 0 skipto 800 tcp from me to any uid root
> keep-state
> > > out xmit
> > > dc1 setup
> > > 00080 0 0 skipto 800 icmp from any to any keep-state out
> > xmit
> > > dc1
> > > 00090 0 0 skipto 800 tcp from any to any 37 keep-state out
> > > xmit dc1
> > > setup
> > > 00100 0 0 skipto 800 tcp from any to any 119 keep-state
> out
> > > xmit dc1
> > > setup
> > > 00110 0 0 skipto 800 tcp from any to any 22 keep-state out
> > > xmit dc1
> > > setup
> > > 00120 0 0 skipto 800 tcp from any to any 43 keep-state out
> > > xmit dc1
> > > setup
> > > 00130 0 0 skipto 800 udp from any to any 123 keep-state
> out
> > > xmit dc1
> > > 00300 0 0 deny ip from 192.168.0.0/16 to any in recv dc1
> > > 00301 0 0 deny ip from 172.16.0.0/12 to any in recv dc1
> > > 00302 0 0 deny ip from 10.0.0.0/8 to any in recv dc1
> > > 00303 0 0 deny ip from 127.0.0.0/8 to any in recv dc1
> > > 00304 0 0 deny ip from 0.0.0.0/8 to any in recv dc1
> > > 00305 0 0 deny ip from 169.254.0.0/16 to any in recv dc1
> > > 00306 0 0 deny ip from 192.0.2.0/24 to any in recv dc1
> > > 00307 0 0 deny ip from 204.152.64.0/23 to any in recv dc1
> > > 00308 0 0 deny ip from 224.0.0.0/3 to any in recv dc1
> > > 00315 0 0 deny tcp from any to any 113 in recv dc1
> > > 00320 0 0 deny tcp from any to any 137 in recv dc1
> > > 00321 0 0 deny tcp from any to any 138 in recv dc1
> > > 00322 0 0 deny tcp from any to any 139 in recv dc1
> > > 00323 0 0 deny tcp from any to any 81 in recv dc1
> > > 00330 0 0 deny ip from any to any in recv dc1 frag
> > > 00332 0 0 deny tcp from any to any in recv dc1 established
> > > 00360 0 0 allow udp from 172.19.17.22 to any 68 keep-state
> > in
> > > recv dc1
> > > 00370 0 0 allow tcp from any to me 80 limit src-addr 2 in
> > recv
> > > dc1
> > > setup
> > > 00370 0 0 allow tcp from any to me 8888 limit src-addr 2
> in
> > > recv dc1
> > > setup
> > > 00380 0 0 allow tcp from any to me 22 limit src-addr 2 in
> > recv
> > > dc1
> > > setup
> > > 00400 0 0 deny log logamount 10 ip from any to any in recv
> > dc1
> > > 00450 81 5288 deny log logamount 10 ip from any to any out
> xmit
> > dc1
> > > 00800 0 0 divert 8668 ip from any to any out xmit dc1
> > > 00801 645 59255 allow ip from any to any
> > > 00999 0 0 deny log logamount 10 ip from any to any
> > > 65535 1 347 deny ip from any to any
> > > This is what my /etc/rc.conf looks like:
> > >
> > > hostname="sara.mshome.net"
> > > ifconfig_dc1="DHCP"
> > > ifconfig_dc0="inet 192.168.1.1 netmask 255.255.255.0"
> > > firewall_enable="YES" firewall_script="/etc/ipfw.rules"
> > > firewall_logging="YES" kern_securelevel_enable="NO"
> > linux_enable="YES"
> > > moused_enable="YES" named_enable="YES" nfs_client_enable="YES"
> > > nfs_reserved_port_only="YES" nfs_server_enable="YES"
> > > sendmail_enable="YES" sshd_enable="YES" usbd_enable="YES"
> > > ntpd_enable="YES" inetd_enable="YES" gateway_enable="YES"
> > > natd_enable="YES" natd_interface="dc1" natd_flags="-dynamic"
> > >
> > > Finally, this is what /etc/resolv.conf looks like:
> > >
> > > sara# more /etc/resolv.conf
> > > search pn.at.cox.net
> > > nameserver 68.105.161.20
> > > nameserver 68.1.18.25
> > > nameserver 68.10.16.30
> > >
> > > Any ideas?
> > >
> > > Thanks,
> > >
> > > Jim C.
> > >
> > > _______________________________________________
> > > freebsd-questions@freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > > To unsubscribe, send any mail to
> > > "freebsd-questions-unsubscribe@freebsd.org"
> > >
> > > _______________________________________________
> > > freebsd-questions@freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > > To unsubscribe, send any mail to
> > > "freebsd-questions-unsubscribe@freebsd.org"
> > >
> >
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
> >
> >
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Bill Moran: "Re: Newbie Problems with cvsup and updating files."
- Maybe in reply to: JJB: "RE: Firewall Rule Set not allowing access to DNS servers?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
