ipfw keep-state (ASAP anwser need)
Jon-Eirik Pettersen
lists at jonepet.net
Sat Jan 31 05:33:53 PST 2004
Simon Gray wrote:
>>The folowing is a fragment of my rc.firewall which must
>>allow all
>>traffic in and out of my named.
>>
>>----
>>ipfw add 4100 allow udp from me to any 53 keep-state
>>ipfw add 4200 allow udp from any to me 53
>>ipfw add 4300 allow udp from me 53 to any
>>---
>>It doesn't work. What am I missing?
>>
>>
>
>
>AFAIK dns also requires tcp 53
>
>
>Quick look in google found:
>
># Allow access to our DNS
>${fwcmd} add pass tcp from any to ${ip} 53 setup
>${fwcmd} add pass udp from any to ${ip} 53
>${fwcmd} add pass udp from ${ip} 53 to any
>
>
>HTH
>
>Simon
>
>
>
If you want to debug firewalls this in your kernel configuration could
help ( if you haven't done it yet):
options IPFIREWALL
options IPFIREWALL_VERBOSE
( remember that it will deny as default, check the handbook if you dont
want it to )
and use deny log instead of "deny", then ipfw will deliver deny-messages
to "security" in syslogd.
And "tcpdump -i device" too ( with som grepping if you have much traffic
in/out).
More information about the freebsd-ipfw
mailing list