# IPFW blocks 53 DNS - which is totally unexplained ! Is in ipfw bug ?



## bryn1u (Sep 10, 2017)

Hello,

I have been trying to resolve ipfw problem with blocking DNS. I even remove almast all rules and have added only ports 22 and 53. I can't still connect with port 53. I tried with PF and works like a charm. When i turn off firewall work like a charms. There is something fucked with IPFW.

```
/etc/rc.conf
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
```
And complicated ipfw rules !

```
/etc/ipfw.rules
#!/usr/local/bin/bash
# ipfw config/rules
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add "
vif="em0"

# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

# StateFull
$cmd 00101 check-state

### SSH:
$cmd allow tcp from any to me dst-port 22 in via $vif setup keep-state
$cmd allow tcp from me to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd allow tcp from any to me dst-port 53 in via $vif setup
$cmd allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd allow udp from me to any dst-port 53 out via $vif keep-state

### Deny Everything else:
# deny everything else, and log it
# inbound catchall
$cmd 56599 deny log ip from any to any in via $vif
```

Telnet for port 22 works great. For other services either (i didn't mention here because don't matter). The problem start with port 53 i can't assigne domain from panel on that ip (get message: A hostname is given that is not resolved). As i said for PF and without firewall everything works great ! Bind99 is locked in jail and has a public ip so nat isn't needed. The funny thing is that telnet on port 53 is working.

Someone can tell me what kind of magic is here ?????


----------



## obsigna (Sep 10, 2017)

I understand, that you got bind99 listening on em0 for incoming DNS requests, and the requests are blocked by your firewall rules. Is my understanding correct?

In case YES:
Remove in the udp 53 rule the directive out and let it go from any $cmd allow udp from any to any dst-port 53 via $vif​
In case NO:
Please explain your goals in some more details.​

Some notes:

Telnet 53 is working since telnet is running over TCP while DNS uses UDP if not configured otherwise.


If you got a standard DNS setup then you may want to remove all the TCP 53 rules.


In a stateful firewall you need usually to configure only one traffic direction, because the other one is covered by automatically generated dynamic rules. It is crucial however to tell the correct direction.


A DNS server needs usually both directions open, because it acts as a server for responding requests, and as a client as well for request forwarding or recursion.


----------



## bryn1u (Sep 10, 2017)

obsigna

You are right.

With those rules it's working !

```
### DNS:
$cmd allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd allow udp from any to me dst-port 53 in via $vif setup
$cmd allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd allow udp from any to any dst-port 53 via $vif
```

But i still don't understand why the f.... when port 53 out is open it doesn't work. With PF i have a open 53 upd out and default policy is blocked and it works !
These rules i have got from handbook freebsd !

Edit:
###################################
Heh, when i have loaded all ipfw rules it doesn't work again:

```
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

# checks stateful rules.  If marked as "keep-state" the packet has
# already passed through filters and is "OK" without futher
# rule matching
$cmd 00101 check-state

### SSH:
$cmd allow tcp from any to me dst-port 22 in via $vif setup keep-state
$cmd allow tcp from me to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00107 allow udp from any to me dst-port 53 in via $vif setup
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00110 allow udp from any to any dst-port 53 via $vif

# allow HTTP HTTPS replies
$cmd 00400 allow tcp from any to me dst-port 80 in via $vif setup limit src-addr 2
$cmd 00410 allow tcp from any to me dst-port 443 in via $vif setup limit src-addr 2
$cmd 00200 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 allow tcp from any to any dst-port 443 out via $vif setup keep-state

# allow outbound mail
#$cmd 00230 allow tcp from any to any dst-port 25 out via $vif setup keep-state
#$cmd 00231 allow tcp from any to any dst-port 465 out via $vif setup keep-state
#$cmd 00232 allow tcp from any to any dst-port 587 out via $vif setup keep-state

# allow icmp re: ping, et. al. 
# comment this out to disable ping, et.al.
#$cmd 00250 allow icmp from any to any out via $vif keep-state

# alllow timeserver out
#$cmd 00260 allow tcp from any to any dst-port 37 out via $vif setup keep-state

# allow ntp out
#$cmd 00270 allow udp from any to any dst-port 123 out via $vif keep-state

# otherwise deny outbound packets
# outbound catchall. 
$cmd 00299 deny log ip from any to any out via $vif

"/etc/ipfw.rules" 83L, 3225C                                                                                                                                           1,1           Top
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

# checks stateful rules.  If marked as "keep-state" the packet has
# already passed through filters and is "OK" without futher
# rule matching
$cmd 00101 check-state

### SSH:
$cmd allow tcp from any to me dst-port 22 in via $vif setup keep-state
$cmd allow tcp from me to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00107 allow udp from any to me dst-port 53 in via $vif setup
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00110 allow udp from any to any dst-port 53 via $vif

# allow HTTP HTTPS replies
$cmd 00400 allow tcp from any to me dst-port 80 in via $vif setup limit src-addr 2
$cmd 00410 allow tcp from any to me dst-port 443 in via $vif setup limit src-addr 2
$cmd 00200 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 allow tcp from any to any dst-port 443 out via $vif setup keep-state

# allow outbound mail
#$cmd 00230 allow tcp from any to any dst-port 25 out via $vif setup keep-state
#$cmd 00231 allow tcp from any to any dst-port 465 out via $vif setup keep-state
#$cmd 00232 allow tcp from any to any dst-port 587 out via $vif setup keep-state

# allow icmp re: ping, et. al. 
# comment this out to disable ping, et.al.
#$cmd 00250 allow icmp from any to any out via $vif keep-state

# alllow timeserver out
#$cmd 00260 allow tcp from any to any dst-port 37 out via $vif setup keep-state

# allow ntp out
#$cmd 00270 allow udp from any to any dst-port 123 out via $vif keep-state

# otherwise deny outbound packets
# outbound catchall. 
$cmd 00299 deny log ip from any to any out via $vif

"/etc/ipfw.rules" 83L, 3225C                                                                                                                                           1,1           Top
$cmd 00299 deny log ip from any to any out via $vif

# inbound rules
# deny inbound traffic to restricted addresses
$cmd 00300 deny ip from 192.168.0.0/16 to any in via $vif
$cmd 00301 deny ip from 172.16.0.0/12 to any in via $vif
$cmd 00302 deny ip from 10.0.0.0/8 to any in via $vif
$cmd 00303 deny ip from 127.0.0.0/8 to any in via $vif
$cmd 00304 deny ip from 0.0.0.0/8 to any in via $vif
$cmd 00305 deny ip from 169.254.0.0/16 to any in via $vif
$cmd 00306 deny ip from 192.0.2.0/24 to any in via $vif
$cmd 00307 deny ip from 204.152.64.0/23 to any in via $vif
$cmd 00308 deny ip from 224.0.0.0/3 to any in via $vif

# deny inbound packets on these ports
# auth 113, netbios (services) 137/138/139, hosts-nameserver 81 
$cmd 00315 deny tcp from any to any dst-port 113 in via $vif
$cmd 00320 deny tcp from any to any dst-port 137 in via $vif
$cmd 00321 deny tcp from any to any dst-port 138 in via $vif
$cmd 00322 deny tcp from any to any dst-port 139 in via $vif
$cmd 00323 deny tcp from any to any dst-port 81 in via $vif

# deny partial packets
$cmd 00330 deny ip from any to any frag in via $vif
$cmd 00332 deny tcp from any to any established in via $vif

# deny everything else, and log it
# inbound catchall
$cmd 56599 deny log ip from any to any in via $vif
```

These rules are taken from handbook.


----------



## SirDice (Sep 11, 2017)

obsigna said:


> Telnet 53 is working since telnet is running over TCP while DNS uses UDP if not configured otherwise.
> 
> 
> If you got a standard DNS setup then you may want to remove all the TCP 53 rules.


This is not entirely correct. DNS will use TCP if the response doesn't fit in a UDP packet. In order to allow proper DNS resolving you need to accept _both_ UDP and TCP requests. Windows tends to use TCP a lot for regular DNS lookups.


----------



## bryn1u (Sep 12, 2017)

Okey guys.

Problem has been resolved. There 2 part of issue:

1) rules
2) bind-911 is crapp. I have read posts on this forum related bind-911 and so many people has the same problem with bind-911. Do not use it

1)### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state

Everything works like a charm !

2) Problem with bind-911:

```
Sep 12 03:41:05 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 03:41:05 dns named[75674]: bind: Operation not permitted
Sep 12 03:41:05 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 03:41:05 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 03:41:05 dns named[75674]: not listening on any interfaces
Sep 12 04:41:05 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 04:41:05 dns named[75674]: bind: Operation not permitted
Sep 12 04:41:05 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 04:41:05 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 04:41:05 dns named[75674]: not listening on any interfaces
Sep 12 05:41:05 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 05:41:05 dns named[75674]: bind: Operation not permitted
Sep 12 05:41:05 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 05:41:05 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 05:41:05 dns named[75674]: not listening on any interfaces
Sep 12 06:41:05 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 06:41:05 dns named[75674]: bind: Operation not permitted
Sep 12 06:41:05 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 06:41:05 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 06:41:05 dns named[75674]: not listening on any interfaces
Sep 12 07:41:05 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 07:41:05 dns named[75674]: bind: Operation not permitted
Sep 12 07:41:05 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 07:41:05 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 07:41:05 dns named[75674]: not listening on any interfaces
Sep 12 08:41:06 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 08:41:06 dns named[75674]: bind: Operation not permitted
Sep 12 08:41:06 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 08:41:06 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 08:41:06 dns named[75674]: not listening on any interfaces
Sep 12 09:41:06 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 09:41:06 dns named[75674]: bind: Operation not permitted
Sep 12 09:41:06 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 09:41:06 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 09:41:06 dns named[75674]: not listening on any interfaces
Sep 12 10:41:06 dns named[75674]: socket.c:5597: unexpected error:
Sep 12 10:41:06 dns named[75674]: bind: Operation not permitted
Sep 12 10:41:06 dns named[75674]: could not listen on UDP socket: unexpected error
Sep 12 10:41:06 dns named[75674]: creating IPv4 interface em0 failed; interface ignored
Sep 12 10:41:06 dns named[75674]: not listening on any interfaces
Sep 12 11:35:29 dns named[75674]: stopping command channel on 127.0.0.1#953
```

I have reinstalled on bind-99 and everything with changed rules of ipfw has been starting work like a charm !
Thank you for your help. Subject can be close !
Greetz


----------

