Adrenalin\’s Blog

Mai 18, 2007

(answer) Why my ipfw udp allow rule doesn’t work ? (freebsd ipfw natd dns udp 53 dosen’t work)

Filed under: Unix — Adrenalin @ 14:34

Your udp packets always lost on some rule and you don’t know where ?

You think what the rule below will allow to pass all packets including UDP packets ?

ipfw add allow ip from any to any out setup keep-state

Or maybe this rule (wich I found in one of the freebsd handbook page) will allow your dns client to contact the dns server ?

$cmd 020 $skip tcp from any to any 53 out via $pif setup keep-state

Nope, simple clients dns querys goes through udp, so you need to allow udp packets too.

$cmd 020 $skip udp from any to any 53 out via $pif setup keep-state

But again, this will not work, because of the setup flag which will allow to pass ONLY TCP packets, read bellow full explanation from ipfw man about the flag.

setup Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of „tcpflags syn,!ack”.

Do not repeat my mistake, remember 4ever, with setup flag no single udp packet will ever pass, today I lost almost 5 hours because of this %)

Another nice trick to save your ass from going every day to the datacenter (poor datacenter guys ;o) after your firewall rule have locked your ssh 22 port.
When you start experiments, add a new crontab entry what will execute a bash script each hour, the bash script will load every hour the stable firewall rules:
0 * * * * /home/you/reload_rcfirewall.sh

Your /home/you/reload_rcfirewall.sh will contain smth. like
#!/usr/local/bin/bash
nohup sh /etc/rc.firewall &

And do not forget to put the +x flag to your script. During your tests, /etc/rc.firewall must remain intact, of course ;p

Anunțuri

5 comentarii »

  1. figase, multe litere ;D

    Comentariu de polonyk — Mai 18, 2007 @ 14:41

  2. la capu meu asta nu ajunge:D

    Comentariu de kerdic — Mai 18, 2007 @ 21:26

  3. 2 tu prosta esti pufos ;D

    Comentariu de polonyk — Mai 18, 2007 @ 22:41

  4. Asta-i iluzie, articolele deobcei is cu mult mai lungi %)
    Asta eu am scris pentru un eventual „eu” care deodata a inceput sa creada ca e vre-un bug pe undeva, si a dat un request in google dar acolo numai spam si nimic util.. %) Poate ii apare blogul meu si ii salveaza timpul.

    Comentariu de Adrenalin — Mai 18, 2007 @ 23:29

  5. does anyone knows if there is any other information about this subject in other languages?

    Comentariu de Yaz Okulu — Martie 28, 2008 @ 7:24


RSS feed for comments on this post. TrackBack URI

Lasă un răspuns

Completează mai jos detaliile tale sau dă clic pe un icon pentru a te autentifica:

Logo WordPress.com

Comentezi folosind contul tău WordPress.com. Dezautentificare / Schimbă )

Poză Twitter

Comentezi folosind contul tău Twitter. Dezautentificare / Schimbă )

Fotografie Facebook

Comentezi folosind contul tău Facebook. Dezautentificare / Schimbă )

Fotografie Google+

Comentezi folosind contul tău Google+. Dezautentificare / Schimbă )

Conectare la %s

Creează un sit web gratuit sau un blog la WordPress.com.

%d blogeri au apreciat asta: