named error sending response: permision denied
Charles Swiger
cswiger at mac.com
Tue May 24 21:10:18 GMT 2005
On May 24, 2005, at 4:28 PM, Stephane Raimbault wrote:
> That's very interesting and makes sense. I do not have the check-
> state in there, and just specify each port that is open, I'm
> guessing I did not run into this problem with anything else, as dns
> is a very stateful type of protocol?
DNS is more complicated than simple UDP-only protocols, sure. If you
have DNS problems, lots of other stuff won't work so well, either.
> Would this be hand with an FTP server, right now I just tell the
> ftp server to use specific
^^^^ "hard"?
> passive ports, and open up the firewall to allow connections on
> there. Would I be able to elmininate that with simply setting up
> check-state and also having keep-state at the end of the tcp allow
> rules ?
Active mode FTP is another hard case to deal with, but most clients
and servers support passive-mode FTP now, which works better over a
firewall or NAT situation.
If no check-state rule is specified, IPFW uses a fallback where it
supposedly looks for keep-state rules or limit rules, instead. But
yes, if you are going to use keep-state rules, you should have a
check-state rule, too. Only, it's better to put that rule sooner
rather than later, to reduce the amount of work the firewall has to
do for established connections.
--
-Chuck
More information about the freebsd-ipfw
mailing list