[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dns & firewall problem



This is a follow up of my previous email concerning the dns and firewall.
I enclosed here with the ipf.rules and the messages of ping, nslookup, and
traceroute for your reference.  Please help to solve the problem.

1.  ping 
	ping: unknown host: ftp.openbsd.org

2.  nslookup
	Can't find server name for address xxx.xxx.xxx.xxx: No response
from server.
	Can't find server name for address yyy.yyy.yyy.yyy: No response
frm server.
	Default server are not available

3.  traceroute ftp.openbsd.org
	traceroute: unknow host ftp.openbsd.org

However, I can ping 129.128.5.191 (ip of ftp.openbsd.org). That is
ping the host with ip address.  When I temporary suspend the firewall by
command ipf -Fa.  Everything becomes OK.  My system is OpenBSD-2.9 (i386).
My connection to internet is ADSL with pppoe.  Thanks for your help in
advance.

Clarence

======= ipf.rules =======

# /etc/ipf.rules

#--------------------------------------------------------------------------
# tun0 - external interface
# ne0 - internal interface
#--------------------------------------------------------------------------
# First, nasty pakets which we don't want near us at all
# pakets which are too short to be real except echo replies on lo0
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick on tun0 all with frags

block in quick on tun1 all
block out quick on tun1  all

#-------------------------------------------------------------------------
# fuzz any 'nmap' attempt
block in log quick on tun0 proto tcp from any to any flags FUP
block in log quick on tun0 proto tcp from any to any flags SF/SFRA
block in log quick on tun0 proto tcp from any to any flags /SFRA
#-------------------------------------------------------------------------

#--------------------------------------------------------------------------
# loopback packets left unmolested
pass in  quick on lo0 all
pass out  quick on lo0 all
#--------------------------------------------------------------------------

#--------------------------------------------------------------------------
# Group setup:
# 100 incoming tun0
# 150 outgoing tun0
# 200 incoming ne0
# 250 outgoing ne0
#--------------------------------------------------------------------------
block in log body on tun0 all head 100
block out log body on tun0 all head 150
#--------------------------------------------------------------------------
block in log on ne0 all head 200
block out log on ne0 all head 250
#--------------------------------------------------------------------------

#--------------------------------------------------------------------------
# incoming tun0 traffic - group 100
#--------------------------------------------------------------------------
# 1) prevent localhost spoofing
block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100
block in log quick from any to 127.0.0.1/8 group 100
#--------------------------------------------------------------------------
# 2) deny pakets which should not be seen on th internet (paranoid)
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from any to 10.0.0.0/8 group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from any to 172.16.0.0/16 group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from any to 192.168.0.0/16 group 100
#--------------------------------------------------------------------------
# 3) Implemented  Policy

#--------------------------------------------------------------------------
# allow different incoming protocols based on security policy for this host

# allow http
pass in quick proto tcp from any to any port = 80 flags S/SA keep state group 100

# allow https
pass in quick proto tcp from any to any port = 443 flags S/SA keep state group 100

# allow SMTP
pass in quick proto tcp from any to any port = 25 flags S/SA keep state group 100

# allow POP3
pass in quick proto tcp from any to any port = 110 flags S/SA keep state group 100

# allow IMAP4
#pass out quick proto tcp from any to any port = 143 flags S/SA keep state group 150

# LDAP
#pass out quick proto tcp from any to any port = 389 flags S/SA keep state group 150

# telnet
pass out quick proto tcp from any to any port = 23 flags S/SA keep state group 150

# ssh
pass out quick proto tcp from any to any port = 22 flags S/SA keep state group 150

# FTP
pass out quick proto tcp from any to any port = 21 keep state group 150

# NTP
pass out quick proto udp from any to any port = 123  keep state group 150

# nntp
pass out quick proto tcp from any to any port = 119 flags S/SA keep state keep frags group 150

# Napster
#pass out quick proto tcp from any to any port = 8888 flags S/SA keep state keep frags group 150
#pass out quick proto tcp from any to any port = 8875 flags S/SA keep state keep frags group 150

# IRC chat
#pass out quick proto tcp from any to any port = 6667 flags S/SA keep state keep frags group 150

# Pings
pass out quick proto icmp from any to any keep state group 150

# RealAudio
pass out quick proto tcp from any to any port = 7070 flags S/SA keep state keep frags group 150
pass out quick proto tcp from any to any port = 8080 flags S/SA keep state keep frags group 150
pass out quick proto tcp from any to any port = 554 flags S/SA keep state keep frags group 150

# identd (that we get)
#pass out quick proto tcp from any to any port = 113 flags S/SA keep state group 150

# XMMS
pass out quick proto tcp from any to any port = 8000 flags S/SA keep state group 150
pass out quick proto tcp from any to any port = 7500 flags S/SA keep state group 150

# SHOUTCAST
pass out quick proto tcp from any to any port = 8038 flags S/SA keep state keep frags group 150

#--------------------------------------------------------------------------

#--------------------------------------------------------------------------
# incoming traffic on ne0 - group 200
#--------------------------------------------------------------------------
# 1) prevent localhost spoofing
block in log quick from 127.0.0.0/8 to any group 200
#block in log quick from 192.168.0.1/32 to any group 200
block in log quick from 192.168.1.254/32 to any group 200
pass in quick from 192.168.1.0/24 to any  group 200
#--------------------------------------------------------------------------
# outgoing traffic on ne0 - group 250
#--------------------------------------------------------------------------
block out log quick from 127.0.0.0/8 to any group 250
block out log quick from any to 127.0.0.0/8 group 250
#block out log quick from any to 192.168.0.1/32 group 250
pass out quick from any to any group 250
#--------------------------------------------------------------------------
========= ipf.rules =============


On Mon, 17 Sep 2001, Clarence wrote:

> Hello,
> 
> I recently follow the steps of Real Quellet (hello_(_at_)_real_(_dot_)_ath_(_dot_)_cx) to setup
> my personal gateway and firewall on pppoe.  However, I got the following
> message when I try to ping.  The dns named server didn't like the
> firewall.  I don't know to solve as I am not experience enough to solve
> the porblem and I am in rush. Is there anyone using the same procedures to
> setup your machine which is working.  Please help.
> 
> Clarence
> 
> P.S.  which file should I provide for your reference