named error sending response: permision denied

Stephane Raimbault stephane at enertiasoft.com
Tue May 24 20:29:19 GMT 2005 

On 24-May-05, at 2:12 PM, Charles Swiger wrote:

> On May 24, 2005, at 2:25 PM, Stephane Raimbault wrote:
>
>>> I hate to ask something silly, but you do have a check-state rule  
>>> somewhere, right?
>>>
>>>
>> it's not silly..., what's silly is now I'm asking how would I  
>> check :) or what would the rule look like.
>>
>
> You've have an "ipfw add check-state" rule somewhere.
>
>
>>> The rules you've added permit traffic in both directions, which  
>>> shouldn't be needed unless the stateful matching wasn't working  
>>> right.  Anyway, you don't need to use stateful rules if you  
>>> permit traffic in both ways, but the possible tradeoff is making  
>>> the systems more accessible to scanning and some DoS attacks  
>>> using forged traffic.
>>>
>>> Not using keep-state with UDP is quite reasonable, but you might  
>>> consider adding a "keep-state" with your TCP rules for port 53.   
>>> You should also be aware that your nameservers will want to make  
>>> outbound connections using TCP themselves sometimes....
>>>
>>
>> you've actually kinda answered the other question I neglected to  
>> ask... which is, would I really need the keep-state, since it  
>> seemed to work without it being there when I did my testing  
>> earlier today.  Regarding adding keep-state to my tcp rule...  
>> would this not do the same thing... ? am I confused... or is it  
>> just insecure of doing it this way:
>>
>> # Allow TCP through if setup succeeded
>> ${fwcmd} add pass tcp from any to any established
>>
>
> Stateful matching of connections can be more secure than passing  
> any traffic which is established, but that depends on the other  
> rules which are being used.  However, the IPFW manpage has a good  
> description of this:
>
>      The typical use of dynamic rules is to keep a closed firewall  
> configura-
>      tion, but let the first TCP SYN packet from the inside network  
> install a
>      dynamic rule for the flow so that packets belonging to that  
> session will
>      be allowed through the firewall:
>
>            ipfw add check-state
>            ipfw add allow tcp from my-subnet to any setup keep-state
>            ipfw add deny tcp from any to any
>

That's very interesting and makes sense.  I do not have the check- 
state in there, and just specify each port that is open, I'm guessing  
I did not run into this problem with anything else, as dns is a very  
stateful type of protocol?  Would this be hand with an FTP server,  
right now I just tell the ftp server to use specific passive ports,  
and open up the firewall to allow connections on there.  Would I be  
able to elmininate that with simply setting up check-state and also  
having keep-state at the end of the tcp allow rules ?

Thanks,
Stephane.



> -- 
> -Chuck
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw- 
> unsubscribe at freebsd.org"
>

More information about the freebsd-ipfw mailing list