[ previous ] [ next ] [ threads ]
 
 From:  "Michael A. Alderete" <lists dash 2003 at alderete dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Firewall rules to allow DNS server in DMZ
 Date:  Mon, 23 Feb 2004 13:46:48 -0800 
I have set up my DNS server in m0n0wall's DMZ, using 1:1 NAT, with my server at 192.168.2.2 on the
DMZ network. I've set up the appropriate Proxy ARP settings, and what I think should be the correct
firewall settings to allow outside clients to resolve my domains by accessing my DNS server. And
most of the time it works, I receive mail, handle web requests, etc., as expected.

However, I do seem to regularly get blocked packets in my firewall logs for what looks like
legitimate DNS requests/responses. Here are some examples from earlier today:

11:27:44.071595 sis2 @0:20 b 192.168.2.2,53 -> 
                             209.88.69.119,42211 PR udp len 20 270 IN

11:24:55.502349 sis2 @0:20 b 192.168.2.2,53 -> 
                             205.160.233.2,34975 PR udp len 20 275 IN

11:17:12.403982 sis2 @0:20 b 192.168.2.2,53 -> 
                             165.121.1.2,32946 PR udp len 20 270 IN

11:16:20.709751 sis2 @0:20 b 192.168.2.2,53 -> 
                             209.20.130.77,13821 PR udp len 20 270 IN

11:16:17.523978 sis2 @0:20 b 192.168.2.2,53 -> 
                             69.10.134.194,28808 PR udp len 20 218 IN

Here are the relevant lines from my config.xml file (I can send the full file if it's required to
diagnose):

    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <any/>
            </source>
            <destination>
                <address>192.168.2.2</address>
                <port>53</port>
            </destination>
            <descr>Incoming DNS lookups &amp; zone xfers</descr>
        </rule>
       [...]
        <rule>
            <type>pass</type>
            <interface>opt1</interface>
            <protocol>tcp/udp</protocol>
            <source>
                <address>192.168.2.2</address>
            </source>
            <destination>
                <any/>
                <port>53</port>
            </destination>
            <descr>Outgoing DNS lookups</descr>
        </rule>
    </filter>

Since I have only 17 rules in my firewall configuration (and five are disabled), I assume that being
blocked by rule 20 means that it's getting stopped by the default rule(s). But I don't understand
why the packets are reaching that point, if the above rules ought to permit them.

[Feature note: it would be nice for the Firewall: Rules screen to (a) number the user's rules, so
you can actually know the numbering scheme, and (b) provide static-but-visible details of the
default rules.]

Thanks!

Michael
-- 

_____________________________________________________________
Michael A. Alderete           <mailto:lists dash 2003 at alderete dot com>
                                     <http://www.alderete.com>