Hi, I've made the changes to rule 00618 as you've suggested, but now I get a different error: # dig .ns @a.root-servers.net
; <<>> DiG 8.3 <<>> .ns @a.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # dig .ns @b.root-servers.net ; <<>> DiG 8.3 <<>> .ns @b.root-servers.net ; (1 server found) ;; res_nmkquery: buffer too small # I'll not even pretend to know what that means.., Thanks for the pointer to what I missed out in the rule. Stacey On Sun, 2002-10-27 at 18:09, D. Penev wrote: > > You forget keep-state. You rule should be: > $fwcmd add 00618 allow udp from any to any 53 out via $oif keep-state > > > > ^ > > | > > PUT THIS IN INSTEAD > > > >Now I try to query a root-server, I still get stopped by the firewall: > ># date > >Sun Oct 27 18:19:35 GMT 2002 > ># dig . ns @b.root-servers.net > > > >; <<>> DiG 8.3 <<>> . ns @b.root-servers.net > >; (1 server found) > >;; res options: init recurs defnam dnsrch > >;; res_nsend to server b.root-servers.net 128.9.0.107: Operation timed > >out > > > >On Sun, 2002-10-27 at 16:06, Ruben de Groot wrote: > ><snip> > >> > > >> > Verifying relevant ipfw rules: > >> > # Allow out access to Internet Domain name server > >> > $fwcmd add 00618 allow tcp from any to any 53 out via $oif setup > >> > keep-state > >> > $fwcmd add 00619 allow udp from any to any 53 out via $oif setup > >> > keep-state > >> > >> This last rule is bogus. From ipfw(8): > >> > >> setup Matches TCP packets that have the SYN bit set but no ACK bit. > >> This is the short form of ``tcpflags syn,!ack''. > >> > >> "setup" is not supposed to work for UDP packets. there is no handshake as > >> in tcp connections. > >> > >> > >> > > >> > Checking ipfw rule 910: > >> > $fwcmd add 00910 deny log logamount 500 ip from any to any > >> > > >> > Why am I not able to query root servers, given my rules 00618 & 00619? > >> > > >> > I'd appreciate someone helping me out here., (or hitting me over the > >> > head if I'm missing something simple and glaringly obvious) > >> > > >> > TIA > >> > > >> > Stacey > >> > > >> > > >> > > >> > -- > >> > Stacey Roberts > >> > B.Sc (HONS) Computer Science > >> > > >> > Web: www.vickiandstacey.com > >> > > >> > >> To Unsubscribe: send mail to [EMAIL PROTECTED] > >> with "unsubscribe freebsd-questions" in the body of the message > >-- > >Stacey Roberts > >B.Sc (HONS) Computer Science > > > >Web: www.vickiandstacey.com > > > > > > -- > Regards, > D. Penev > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com
signature.asc
Description: This is a digitally signed message part
