IPFW Rules. Can't connect with port 53 DNS from outside

Hello guy,

I have really strange issue with ipfw.
I can't connect with DNS from outside. I have a jail where DNS server is installed. Im using IPFW. I can connect via telnet from host to dns 53 in jail. But i can't connect from outside. When i disable ipfw everything works good. I have checked so many times but still doesn't work. Maybe someone of you can help me resolve that problem.
My rules
Code:
root@HardenedBSD:/home/bryn1u # ipfw list
00010 allow ip from any to any via lo0
00101 check-state :default
00110 allow tcp from me to any dst-port 53 out via em0 setup keep-state :default
00111 allow udp from me to any dst-port 53 out via em0 keep-state :default
00120 allow udp from me 68 to any dst-port 67 out via em0 keep-state :default
00200 allow tcp from any to any dst-port 80 out via em0 setup keep-state :default
00220 allow tcp from any to any dst-port 443 out via em0 setup keep-state :default
00230 allow tcp from any to any dst-port 25 out via em0 setup keep-state :default
00231 allow tcp from any to any dst-port 465 out via em0 setup keep-state :default
00232 allow tcp from any to any dst-port 587 out via em0 setup keep-state :default
00250 allow icmp from any to any out via em0 keep-state :default
00260 allow tcp from any to any dst-port 37 out via em0 setup keep-state :default
00270 allow udp from any to any dst-port 123 out via em0 keep-state :default
00280 allow tcp from any to any dst-port 22 out via em0 setup keep-state :default
00299 deny log logamount 5 ip from any to any out via em0
00300 deny ip from 192.168.0.0/16 to any in via em0
00301 deny ip from 172.16.0.0/12 to any in via em0
00302 deny ip from 10.0.0.0/8 to any in via em0
00303 deny ip from 127.0.0.0/8 to any in via em0
00304 deny ip from 0.0.0.0/8 to any in via em0
00305 deny ip from 169.254.0.0/16 to any in via em0
00306 deny ip from 192.0.2.0/24 to any in via em0
00307 deny ip from 204.152.64.0/23 to any in via em0
00308 deny ip from 224.0.0.0/3 to any in via em0
00310 allow icmp from any to any in via em0
00315 deny tcp from any to any dst-port 113 in via em0
00320 deny tcp from any to any dst-port 137 in via em0
00321 deny tcp from any to any dst-port 138 in via em0
00322 deny tcp from any to any dst-port 139 in via em0
00323 deny tcp from any to any dst-port 81 in via em0
00330 deny ip from any to any frag in via em0
00332 deny tcp from any to any established in via em0
00350 allow udp from any to me dst-port 53 in via em0
00360 allow tcp from any to me dst-port 53 in via em0
00370 allow udp from any 67 to me dst-port 68 in via em0 keep-state :default
00400 allow tcp from any to me dst-port 80 in via em0 setup limit src-addr 2 :default
00410 allow tcp from any to me dst-port 443 in via em0 setup limit src-addr 2 :default
01000 deny ip from table(22) to any
56420 allow tcp from any to me dst-port 22 in via em0 setup limit src-addr 2 :default
56530 allow tcp from any to any dst-port 25 in via em0 setup keep-state :default
56531 allow tcp from any to any dst-port 465 in via em0 setup keep-state :default
56532 allow tcp from any to any dst-port 587 in via em0 setup keep-state :default
56599 deny log logamount 5 ip from any to any in via em0
65535 allow ip from any to any

I think it looks good:
Code:
00110 allow tcp from me to any dst-port 53 out via em0 setup keep-state :default
00111 allow udp from me to any dst-port 53 out via em0 keep-state :default
00350 allow udp from any to me dst-port 53 in via em0
00360 allow tcp from any to me dst-port 53 in via em0
 
Last edited by a moderator:
How is the jail configured? And are you forwarding the traffic to the jail?
 
Do you use unbound as the DNS server? Unbound uses random ports to receive query results, so you shouldn't restrict the destination port to 53 in rules.

For example, if the dns jail ip is 10.0.0.1 and the host interface is em0:
Code:
# ipfw -q add allow udp from any to 10.0.0.1 [DEL]53[/DEL] in via em0 keep-state

You can add "log" in this to verify my point.
 
Back
Top