named error sending response: permision denied
Charles Swiger
cswiger at mac.com
Tue May 24 18:09:40 GMT 2005
On May 24, 2005, at 1:05 PM, Stephane Raimbault wrote:
> Thank you for your suggestions... I think it helped me solve the
> problem. It seems I needed to add more rules... although they seem
> redundant to me, but they have clearly made an improvement and I'm
> no longer getting those dns related errors in ipfw.log and in /var/
> log/messages.
I hate to ask something silly, but you do have a check-state rule
somewhere, right?
The rules you've added permit traffic in both directions, which
shouldn't be needed unless the stateful matching wasn't working
right. Anyway, you don't need to use stateful rules if you permit
traffic in both ways, but the possible tradeoff is making the systems
more accessible to scanning and some DoS attacks using forged traffic.
Not using keep-state with UDP is quite reasonable, but you might
consider adding a "keep-state" with your TCP rules for port 53. You
should also be aware that your nameservers will want to make outbound
connections using TCP themselves sometimes....
--
-Chuck
More information about the freebsd-ipfw
mailing list