Subject: Re: ipf ruleset causing named shutout
To: Keith Parker <kparker4@midsouth.rr.com>
From: Julian Coleman <jdc@coris.org.uk>
List: netbsd-help
Date: 12/08/2003 17:05:40
> oak.xtechsolutions.net = 192.168.1.1 = primary and only (for the moment)
> nameserver = rtk0
> ex0 = NIC to the outside world.
>
> If the complete ipf.conf would help, then I'll send. I just figured since
> it was specific to that tiny subset, I'd cut out the fluff.
It might do. One thing that is very useful when you think your ipf rules
are blocking packets is to turn on logging. Alternatively, if you are
happy to run witout ipf, you can use tcpdump to watch the network and
see which protocols/ports you should pass or block.
> Before setting up named, I was using my ISP's nameservers. I have a couple
> of rules (my ipf.conf was borrowed from nice person on the net) that
> explicitly passed in DNS replies from my ISP's nameservers.
>
> pass in on ex0 proto udp from 24.165.200.35 port = 53 to any
> pass in on ex0 proto udp from 24.165.200.40 port = 53 to any
>
> When my /etc/resolv.conf listed 24.165.200.35 and 24.165.200.40) as
> nameservers, everything was fine.
You can put these in your named.conf as:
options {
...
forward first;
forwarders {
24.165.200.35
24.165.200.40
};
...
};
to make your local name server ask these first to resolve names. If you
don't do this (or they are unavaliable), then your name server will try
and look up names itself, thus sending packets (to UDP port 53) to a large
number of hosts and receiving replies back (from UDP port 53). So, you
should have a rule that allows all the replies to come back:
pass in on ex0 proto udp from any port = 53 to <your_address>
or you could use the "keep state" feature to track the replies to your
outbound requests:
pass out on ex0 proto udp from <your_address> to any port = 53 keep state
This is better, as it blocks spoofed packets from UDP port 53 reaching your
machine.
J
--
My other computer also runs NetBSD
http://www.netbsd.org/