Solved DNS blocked

Hi!

I am using DNS.WATCH nameservers and IPFW deny:
Code:
ipfw: 65500 Deny UDP 84.200.69.80:53 192.168.1.2:56329 in via bge0
ipfw: 65500 Deny UDP 84.200.70.40:53 192.168.1.2:33489 in via bge0
The problem is just one site.
I am using FreeBSD 12.0-Release(amd64) and default rc.firewall.
Code:
ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any icmp6types 3
65000 count ip from any to any
65100 deny { tcp or udp } from any to any 135-139,445 in
65200 deny { tcp or udp } from any to any 1026,1027 in
65300 deny { tcp or udp } from any to any 1433,1434 in
65400 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any 520 in
65500 deny tcp from any 80,443 to any 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any

Should I put in /etc/rc.firewall:
Code:
ipfw add reass udp from any to any in

Thank you.
 
Last edited:
Hello Fernandel,

I'd like to think that I'm quite OK with IPFW and its workings!
However, what is the problem you are experiencing as this is not really clear.
Are DNS queries not working at all? Lets debug this issue together.

Try pinging a popular website like google.com. What does that give you?

ping google.com

As a side note:
It is not because you are getting denied packets that that means it does not work.
IPFW statefull will allow outgoing DNS queries based on the number 01400 rule.
This rule (keep-state) will create an entry in the dynamic state table which will allow returning packets by the check-state rule 01100.
So what you see might be packets that are getting denied because you did not initiate them first. Which is OK!
 
Hello Fernandel,

I'd like to think that I'm quite OK with IPFW and its workings!
However, what is the problem you are experiencing as this is not really clear.
Are DNS queries not working at all? Lets debug this issue together.

Try pinging a popular website like google.com. What does that give you?

ping google.com

As a side note:
It is not because you are getting denied packets that that means it does not work.
IPFW statefull will allow outgoing DNS queries based on the number 01400 rule.
This rule (keep-state) will create an entry in the dynamic state table which will allow returning packets by the check-state rule 01100.
So what you see might be packets that are getting denied because you did not initiate them first. Which is OK!
Ping google, freebsd, jax.org works without problems and I do not have problem in 95%.
For exaple:
When I open jax.org than Careers and everything smooth and fast but when I click on Research position it last long and final open and than I choose Scientist... and open fast but this time I got from IPFW what I wrote in my first post. In this case I am using qutebrowser because on Firefox I have everything blocked included scripts but some blocking hapenned also when I am, browsing with Firefox.
It is not a big problem but I don't remember that hapenned when I use 1.1.1.1 or Verisign.
Code:
--- freebsd.org ping statistics ---
22 packets transmitted, 22 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 32.623/34.502/39.366/1.414 ms
BTW: I had a bad DSL line.

Thank you.
 
I feel like this is not related to IPFW or DNS at all. DNS either works or doesn't.
The site might just be slow or there's some kind of regression with the web browser you are using although you also have the problem with Firefox.
This leads me to believe the site is just slow in responding to your requests as it comes through in the end as I understand from your statement.

As I already noted above, it is not because you are seeing denied packets from port 53 that it means that DNS is not working at that point.
IPFW is denying packets that you did not initiate (ask for). This is normal behavior as how IPFW is configured from your ruleset.
 
I feel like this is not related to IPFW or DNS at all. DNS either works or doesn't.
The site might just be slow or there's some kind of regression with the web browser you are using although you also have the problem with Firefox.
This leads me to believe the site is just slow in responding to your requests as it comes through in the end as I understand from your statement.

As I already noted above, it is not because you are seeing denied packets from port 53 that it means that DNS is not working at that point.
IPFW is denying packets that you did not initiate (ask for). This is normal behavior as how IPFW is configured from your ruleset.
Thank you. Your explanation it help me.
 
Back
Top