IPFW防火墙后设置后,DNS解析不了,大家来看看
root@bsd:/home/wjm # ipfw list00005 allow ip from any to any via re0
00010 allow ip from any to any via lo0
00015 check-state
00020 allow tcp from any to any dst-port 53 out via tun0 setup keep-state
00021 allow udp from any to any dst-port 53 out via tun0 setup keep-state
00022 allow tcp from any to any dst-port 53 in via tun0 setup keep-state
00023 allow udp from any to any dst-port 53 in via tun0 setup keep-state <----已经放开了53端口了
00040 skipto 800 tcp from any to any dst-port 80 out via tun0 setup keep-state
00050 skipto 800 tcp from any to any dst-port 443 out via tun0 setup keep-state
00060 skipto 800 tcp from any to any dst-port 25 out via tun0 setup keep-state
00061 skipto 800 tcp from any to any dst-port 110 out via tun0 setup keep-state
00070 skipto 800 tcp from me to any out via tun0 setup uid root keep-state
00080 skipto 800 icmp from any to any out via tun0 keep-state
00090 skipto 800 tcp from any to any dst-port 37 out via tun0 setup keep-state
00100 skipto 800 tcp from any to any dst-port 119 out via tun0 setup keep-state
00110 skipto 800 tcp from any to any dst-port 22 out via tun0 setup keep-state
00120 skipto 800 tcp from any to any dst-port 43 out via tun0 setup keep-state
00130 skipto 800 udp from any to any dst-port 123 out via tun0 keep-state
00300 deny ip from 192.168.0.0/16 to any in via tun0
00301 deny ip from 172.16.0.0/12 to any in via tun0
00302 deny ip from 10.0.0.0/8 to any in via tun0
00303 deny ip from 127.0.0.0/8 to any in via tun0
00304 deny ip from 0.0.0.0/8 to any in via tun0
00305 deny ip from 169.254.0.0/16 to any in via tun0
00306 deny ip from 192.0.2.0/24 to any in via tun0
00307 deny ip from 204.152.64.0/23 to any in via tun0
00308 deny ip from 224.0.0.0/3 to any in via tun0
00315 deny tcp from any to any dst-port 113 in via tun0
00320 deny tcp from any to any dst-port 137 in via tun0
00321 deny tcp from any to any dst-port 138 in via tun0
00322 deny tcp from any to any dst-port 139 in via tun0
00323 deny tcp from any to any dst-port 81 in via tun0
00330 deny ip from any to any frag in via tun0
00332 deny tcp from any to any established in via tun0
00370 allow tcp from any to me dst-port 80 in via tun0 setup limit src-addr 2
00380 allow tcp from any to me dst-port 22 in via tun0 setup limit src-addr 2
00390 allow udp from any 53 to any in via tun0 setup keep-state
00400 deny log ip from any to any in via tun0
00450 deny log ip from any to any out via tun0
00801 allow ip from any to any
00999 deny log ip from any to any
65535 deny ip from any to any
more/var/log/security:
.....
Nov7 08:30:28 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:59607 202.106.0.20:53 out via tun0
Nov7 08:30:28 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:59607 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:63436 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:63436 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:54164 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:60662 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:54813 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:54813 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:51531 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:51531 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:63615 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:53129 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:52909 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:52909 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:63250 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:59335 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:59335 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:59775 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:59775 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:63435 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:63435 8.8.8.8:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:49180 202.106.0.20:53 out via tun0
Nov7 08:30:29 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:49180 8.8.8.8:53 out via tun0
Nov7 08:30:30 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:65239 202.106.0.20:53 out via tun0
Nov7 08:30:30 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:65239 8.8.8.8:53 out via tun0
Nov7 08:30:30 bsd kernel: ipfw: 450 Deny UDP 192.168.1.93:54164 8.8.8.8:53 out via tun0
Nov7 08:30:30 bsd kernel: ipfw: 450 Deny UDP 192.168.1.11:57080 202.106.0.20:53 out via tun0
.....
我快疯了都。。。。。按照Handbook上的IPFW章节,稍稍修改了一下 开放53端口的那几句。其实,我按照handbook上一摸一样的设置,日志里的还是一样的denny。
是不是规则最后那几句有问题?denny ip via tun0 那几句?
另外,我ifconfig的时候,看到多了一个 ipfw0的网络设备,是不是规则当中还要写进去啊。
高手看看啊。。小弟刚刚学习IPFW,谢谢大虾们~~ ding........:dizzy::dizzy::dizzy: 帮顶,看过一段时间的ipfw,现在都忘了 回复 1# hackson99
把setup去掉,udp没有setup标志,会导致规则不匹配。 另外提醒一下:
00040 skipto 800 tcp from any to any dst-port 80 out via tun0 setup keep-state
00050 skipto 800 tcp from any to any dst-port 443 out via tun0 setup keep-state
00060 skipto 800 tcp from any to any dst-port 25 out via tun0 setup keep-state
00061 skipto 800 tcp from any to any dst-port 110 out via tun0 setup keep-state
这四句可以做成一句:
skipto 800 tcp from any to any 80,443,25,110 out via tun0 setup keep-state
其他几句可以照些办理。
回复 5# lsstarboy
偶滴森啊!!终于见到伟大的lsstarboy了!!激冻啊!!!我试试看看。不行再找你。
页:
[1]