I have ipfw() configured with these rules (among others)
My network interface configuration is
Shelled in to a remote machine, I'm trying nslookup() queries
On my server, I'm seeing firewall block reports in the log
I've tried the ipfw() 550 rule with and without the setup and keep-state flags, no combination works.
Why is the ipfw() 550 rule not allowing the inbound DNS traffic so that the catch-all 56599 rule takes effect?
Code:
# ipfw list | grep "53 "
00110 allow tcp from me to any dst-port 53 out via re0 setup keep-state
00111 allow udp from me to any dst-port 53 out via re0 keep-state
00550 allow ip from any to me dst-port 53 in via re0 setup keep-state
Code:
# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 1c:6f:65:92:c4:59
inet 192.168.14.69 netmask 0xffffff00 broadcast 192.168.14.255
inet 192.168.14.253 netmask 0xffffff00 broadcast 192.168.14.255
inet 192.168.14.199 netmask 0xffffff00 broadcast 192.168.14.255
inet 192.168.14.202 netmask 0xffffff00 broadcast 192.168.14.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.2 netmask 0xffffffff
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Code:
> server
Default server: 100.0.193.99
Address: 100.0.193.99#53
> fkeinternet.net
;; connection timed out; no servers could be reached
Code:
# grep 216.154.215 /var/log/*
/var/log/security:Mar 10 01:13:12 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:35683 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:13:17 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:35683 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:13:22 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:35683 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:16:51 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:37504 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:16:56 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:37504 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:17:01 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:37504 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:18:39 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:36527 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:18:44 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:36527 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:18:49 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:36527 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:28:58 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:49956 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:03 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:49956 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:08 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:49956 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:32 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:56370 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:37 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:56370 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:42 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:56370 192.168.14.199:53 in via re0
Why is the ipfw() 550 rule not allowing the inbound DNS traffic so that the catch-all 56599 rule takes effect?