5.2 + ipfw2 + keep-state rules Bug
Chuck Swiger
cswiger at mac.com
Sun Jan 18 10:23:59 PST 2004
fbsd_user wrote:
> Using an fresh install of FBSD 5.2 RC2 I am trying to
> get stateful rules to function.
> For some reason ipfw2 seems to be issuing an ICMP:3.3
> packet to my ISP's dns.
[ ... ]
> # Internal gateway housekeeping
> $cmd 00100 allow all from any to any via lo0 # allow all localhost
> $cmd 00105 allow all from any to any via xl0 # allow all local Lan
> $cmd 00110 check-state log logamount 500
> $cmd 00150 divert natd all from any to any
> $cmd 00170 count log logamount 500 all from any to any
> $cmd 00310 allow log logamount 500 tcp from any to any 53 out via
> rl0 setup keep-state
> $cmd 00311 allow log logamount 500 udp from any to any 53 out via
> rl0 keep-state
> $cmd 00315 allow log logamount 500 tcp from any to any 80 out via
> rl0 setup keep-state
> $cmd 00350 allow log logamount 500 icmp from any to any out via rl0
> keep-state
> $cmd 00500 deny log logamount 500 all from any to any
Something like the following would be better in terms of DNS and not blocking
essential types of ICMP traffic:
allow tcp from any to any 53 out via rl0 setup keep-state
allow udp from any to any 53
allow icmp from any to any icmptypes 0,3,4,8,11,12
This allows bidirectional UDP-based DNS queries, but only outbound long
(TCP-based) DNS queries like zone-transfers. YMMV, and it may not solve your
problem-- it looked like your queries were coming from an internal host
(10.0.10.5) using NAT? Are you sure that natd is okay? Maybe put the divert
statement before the "check-state" rule?
--
-Chuck
More information about the freebsd-ipfw
mailing list