Re: 2.9: ipf prevents reverse DNS

[Chuck Yerkes <chuck@snew.com>]

Quoting Shaun Fryer (shaun@lweb.net):
> > pass in from any to any port = 53
> > ..to allow the DNS queries through
> 
> 	Thanks. It didn't work though. However I did add a rule
> allowing in udp on any port and it worked fine.

Wow, so much for security.

I'm sure you're intimate with the protocols and TCP/IP (you
wouldn't be setting up a firewall otherwise); allow port 53
both udp and TCP.  Or run named on the firewall :)

> ------------------------
> pass out all
> pass out proto tcp from any to any keep state
> block in all
> pass in proto tcp from any to any port = 22 keep state
> pass in proto udp from any to any
> ------------------------
> 
> 	I'm guessing that since this box is actually the client in the
> reverse dns conversation, that it listens on a different local port.
> Any idea what port or range of ports that might be? I'd prefer not to
> pass udp indiscriminately unless I have no other choice.
> 
> ===================
>  Shaun Fryer
> ===================
>  London Webmasters
>  http://LWEB.NET
>  PH:  519-858-9660
>  FX:  519-858-9024
> ===================
> 
> > *********** REPLY SEPARATOR  ***********
> >
> > On 6/7/2002 at 4:38 PM Shaun Fryer wrote:
> >
> > >I'm just learning to setup ipf.rules on my fully patched 2.9 system.
> > >For preliminary testing I've got it running only SSHD through the
> > >packet filter as follows.
> > >
> > >pass out all
> > >block in all
> > >pass in from any to any port = 22
> > >
> > >I'm having very slow authentication from a reverse dns timeout which
> > >doesn't happen when the rules aren't present. It seems to happen this
> > >way even if I "keep state" both ways. Any idea of how I can correct
> > >this? I need to be able to SSH into the box from any IP on the www.