c76d Rules behavior - The FreeBSD Forums
The FreeBSD Forums  

Go Back   The FreeBSD Forums > Server & Networking > Firewalls
Reload this Page Rules behavior
Register FAQ Calendar Search Today's Posts Mark Forums Read

Firewalls IPFW, PF, IPF (but not limited) related discussion

Reply
 
Thread Tools Display Modes
  #1  
Old August 3rd, 2012, 04:01
overlook overlook is offline
Junior Member
  
Join Date: Aug 2012
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Rules behavior
Hello!

I'm currently new to configuring OpenBSD's PacketFilter, however I have some questions regarding to what can be left out and what needs to be mentioned in the rules.

Since most examples mentioned only http/https ports for an outgoing connection. However resolving Domain names is the sole job of DNS (TCP/IP Stack). So normally a firewall would block the DNS requests, since they aren't configured part of the rule set. But that doesn't seem to be the case, since these examples don't mention any rules for the DNS protocol.

So if anyone could clear up this confusion I would be really grateful. Just merely trying to figure out heads and tails of Packet Filter.
Reply With Quote
  #2  
Old August 3rd, 2012, 04:22
wblock@'s Avatar
wblock@ wblock@ is offline
Moderator
  
Join Date: Sep 2009
Location: Milky Way galaxy
Posts: 7,723
Thanks: 432
Thanked 1,761 Times in 1,458 Posts
Default
A specific rule set would be easier to see.

Often, firewalls are configured to allow all traffic that originates inside the network. DNS would be included in that type of traffic. Most small networks do not serve DNS requests that originate from outside, so this works fine.
Reply With Quote
  #3  
Old August 3rd, 2012, 12:04
overlook overlook is offline
Junior Member
  
Join Date: Aug 2012
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default
So what your saying is under conditions where computers connecting to the Internet are getting their IPs in DHCP mode. But what under Static conditions, the computer would be configured to retrieve DNS names off shore.
Reply With Quote
  #4  
Old August 3rd, 2012, 12:27
SirDice's Avatar
SirDice SirDice is offline
Moderator
  
Join Date: Nov 2008
Location: Rotterdam, Netherlands
Posts: 13,725
Thanks: 47
Thanked 2,023 Times in 1,862 Posts
Default
Post the rule set. We can't make any judgments about rules we don't know.
__________________
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
Reply With Quote
  #5  
Old August 3rd, 2012, 14:49
wblock@'s Avatar
wblock@ wblock@ is offline
Moderator
  
Join Date: Sep 2009
Location: Milky Way galaxy
Posts: 7,723
Thanks: 432
Thanked 1,761 Times in 1,458 Posts
Default
Quote:
Originally Posted by overlook View Post
So what your saying is under conditions where computers connecting to the Internet are getting their IPs in DHCP mode.
No. I'm saying that firewalls often allow any type of connection as long as it originates from inside the network. A computer inside the network does a DNS lookup, sends mail, web connection, anything, the firewall allows that. Connections coming in from outside the firewall are filtered; if the network has no public DNS server, DNS connections from outside are rejected.
Reply With Quote
Reply

Tags
dns, http, https, ruleset

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[Solved] Strange Tunnel Behavior mlager Networking 6 November 18th, 2011 19:13
Very odd Kerberos behavior. KernelPanic Web & Network Services 0 September 15th, 2011 23:03
[Solved] Changed portmaster behavior? SirDice Installation and Maintenance of FreeBSD Ports or Packages 11 April 29th, 2010 11:27
Are there any way to add new rules to pf without write the rules to the pf.conf tanakorn Firewalls 2 February 8th, 2010 09:09
strange behavior with named vlad2005 Web & Network Services 7 September 9th, 2009 16:22


All times are GMT +1. The time now is 23:59.

Contact Us - FreeBSD - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.
The mark FreeBSD is a registered trademark of The FreeBSD Foundation and is used by The FreeBSD Project with the permission of The FreeBSD Foundation.
Web protection and acceleration provided by CloudFlare
0