Re: 5.2 + ipfw2 + keep-state rules Bug
fbsd_user wrote: Using an fresh install of FBSD 5.2 RC2 I am trying to get stateful rules to function. For some reason ipfw2 seems to be issuing an ICMP:3.3 packet to my ISP's dns. [ ... ] # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00110 check-state log logamount 500 $cmd 00150 divert natd all from any to any $cmd 00170 count log logamount 500 all from any to any $cmd 00310 allow log logamount 500 tcp from any to any 53 out via rl0 setup keep-state $cmd 00311 allow log logamount 500 udp from any to any 53 out via rl0 keep-state $cmd 00315 allow log logamount 500 tcp from any to any 80 out via rl0 setup keep-state $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 keep-state $cmd 00500 deny log logamount 500 all from any to any Something like the following would be better in terms of DNS and not blocking essential types of ICMP traffic: allow tcp from any to any 53 out via rl0 setup keep-state allow udp from any to any 53 allow icmp from any to any icmptypes 0,3,4,8,11,12 This allows bidirectional UDP-based DNS queries, but only outbound long (TCP-based) DNS queries like zone-transfers. YMMV, and it may not solve your problem-- it looked like your queries were coming from an internal host (10.0.10.5) using NAT? Are you sure that natd is okay? Maybe put the divert statement before the check-state rule? -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
5.2 + ipfw2 + keep-state rules Bug
Using an fresh install of FBSD 5.2 RC2 I am trying to get stateful rules to function. For some reason ipfw2 seems to be issuing an ICMP:3.3 packet to my ISP's dns. Here is my rules file # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00110 check-state log logamount 500 $cmd 00150 divert natd all from any to any $cmd 00170 count log logamount 500 all from any to any $cmd 00310 allow log logamount 500 tcp from any to any 53 out via rl0 setup keep-state $cmd 00311 allow log logamount 500 udp from any to any 53 out via rl0 keep-state $cmd 00315 allow log logamount 500 tcp from any to any 80 out via rl0 setup keep-state $cmd 00350 allow log logamount 500 icmp from any to any out via rl0 keep-state $cmd 00500 deny log logamount 500 all from any to any Here is the ipfw2 log Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.11:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.11:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.11:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.11 out via rl0 Ipfw: 110 UNKNOWN UDP 10.0.10.5:1181 208.206.15.12:53 out via rl0 Ipfw: 170 Count UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0 Ipfw: 311 Accept UDP 67.20.101.103:1181 208.206.15.12:53 out via rl0 Ipfw: 110 UNKNOWN UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0 Ipfw: 311 Accept UDP 208.206.15.12:53 67.20.101.103:1181 in via rl0 Ipfw: 110 UNKNOWN ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 Ipfw: 170 Count ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 Ipfw: 350 Accept ICMP:3.3 67.20.101.103 208.206.15.12 out via rl0 When I change the rules to use pass all just to test if there is something wrong with my ISP's dns server, everything works. So there is no reason for the icmp 3.3 packet. # Flush out the list before we begin. /sbin/ipfw -q -f flush # Set rules command prefix cmd=ipfw -q add # Internal gateway housekeeping $cmd 00100 allow all from any to any via lo0 # allow all localhost $cmd 00105 allow all from any to any via xl0 # allow all local Lan $cmd 00150 divert natd all from any to any $cmd 00160 allow log logamount 500 all from any to any Log from about rules file Ipfw: 160 Accept UDP 67.20.101.103:1175 208.206.15.11:53 out via rl0 Ipfw: 160 Accept UDP 208.206.15.11:53 10.0.10.5:1175 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 Ipfw: 160 Accept TCP 67.20.101.103:1176 216.136.204.117:80 out via rl0 Ipfw: 160 Accept TCP 216.136.204.117:80 10.0.10.5:1176 in via rl0 This looks like 5.2 ipfw2 bug to me. Any body explain why ipfw2 is doing this? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]