named error sending response: permision denied

Charles Swiger cswiger at mac.com
Tue May 24 21:10:18 GMT 2005


On May 24, 2005, at 4:28 PM, Stephane Raimbault wrote:
> That's very interesting and makes sense.  I do not have the check- 
> state in there, and just specify each port that is open, I'm  
> guessing I did not run into this problem with anything else, as dns  
> is a very stateful type of protocol?

DNS is more complicated than simple UDP-only protocols, sure.  If you  
have DNS problems, lots of other stuff won't work so well, either.

> Would this be hand with an FTP server, right now I just tell the  
> ftp server to use specific
                 ^^^^ "hard"?

> passive ports, and open up the firewall to allow connections on  
> there.  Would I be able to elmininate that with simply setting up  
> check-state and also having keep-state at the end of the tcp allow  
> rules ?

Active mode FTP is another hard case to deal with, but most clients  
and servers support passive-mode FTP now, which works better over a  
firewall or NAT situation.

If no check-state rule is specified, IPFW uses a fallback where it  
supposedly looks for keep-state rules or limit rules, instead.  But  
yes, if you are going to use keep-state rules, you should have a  
check-state rule, too.  Only, it's better to put that rule sooner  
rather than later, to reduce the amount of work the firewall has to  
do for established connections.

-- 
-Chuck



More information about the freebsd-ipfw mailing list