[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2.9: ipf prevents reverse DNS
Quoting Shaun Fryer (firstname.lastname@example.org):
> > pass in from any to any port = 53
> > ..to allow the DNS queries through
> Thanks. It didn't work though. However I did add a rule
> allowing in udp on any port and it worked fine.
Wow, so much for security.
I'm sure you're intimate with the protocols and TCP/IP (you
wouldn't be setting up a firewall otherwise); allow port 53
both udp and TCP. Or run named on the firewall :)
> pass out all
> pass out proto tcp from any to any keep state
> block in all
> pass in proto tcp from any to any port = 22 keep state
> pass in proto udp from any to any
> I'm guessing that since this box is actually the client in the
> reverse dns conversation, that it listens on a different local port.
> Any idea what port or range of ports that might be? I'd prefer not to
> pass udp indiscriminately unless I have no other choice.
> Shaun Fryer
> London Webmasters
> PH: 519-858-9660
> FX: 519-858-9024
> > *********** REPLY SEPARATOR ***********
> > On 6/7/2002 at 4:38 PM Shaun Fryer wrote:
> > >I'm just learning to setup ipf.rules on my fully patched 2.9 system.
> > >For preliminary testing I've got it running only SSHD through the
> > >packet filter as follows.
> > >
> > >pass out all
> > >block in all
> > >pass in from any to any port = 22
> > >
> > >I'm having very slow authentication from a reverse dns timeout which
> > >doesn't happen when the rules aren't present. It seems to happen this
> > >way even if I "keep state" both ways. Any idea of how I can correct
> > >this? I need to be able to SSH into the box from any IP on the www.