# Inbound DNS requests not working



## FKEinternet (Mar 10, 2016)

I have ipfw() configured with these rules (among others)

```
# ipfw list | grep "53 "
00110 allow tcp from me to any dst-port 53 out via re0 setup keep-state
00111 allow udp from me to any dst-port 53 out via re0 keep-state
00550 allow ip from any to me dst-port 53 in via re0 setup keep-state
```
My network interface configuration is

```
# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
 ether 1c:6f:65:92:c4:59
 inet 192.168.14.69 netmask 0xffffff00 broadcast 192.168.14.255
 inet 192.168.14.253 netmask 0xffffff00 broadcast 192.168.14.255
 inet 192.168.14.199 netmask 0xffffff00 broadcast 192.168.14.255
 inet 192.168.14.202 netmask 0xffffff00 broadcast 192.168.14.255
 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
 media: Ethernet autoselect (1000baseT <full-duplex>)
 status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
 inet 127.0.0.1 netmask 0xff000000
 inet 127.0.0.2 netmask 0xffffffff
 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
Shelled in to a remote machine, I'm trying nslookup() queries

```
> server
Default server: 100.0.193.99
Address: 100.0.193.99#53
> fkeinternet.net
;; connection timed out; no servers could be reached
```
On my server, I'm seeing firewall block reports in the log

```
# grep 216.154.215 /var/log/*
/var/log/security:Mar 10 01:13:12 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:35683 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:13:17 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:35683 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:13:22 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:35683 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:16:51 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:37504 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:16:56 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:37504 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:17:01 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:37504 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:18:39 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:36527 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:18:44 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:36527 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:18:49 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:36527 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:28:58 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:49956 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:03 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:49956 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:08 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:49956 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:32 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:56370 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:37 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:56370 192.168.14.199:53 in via re0
/var/log/security:Mar 10 01:29:42 Dreamer kernel: ipfw: 56599 Deny UDP 216.154.215.239:56370 192.168.14.199:53 in via re0
```
I've tried the ipfw() 550 rule with and without the *setup* and *keep-state* flags, no combination works.

Why is the ipfw() 550 rule not allowing the inbound DNS traffic so that the catch-all 56599 rule takes effect?


----------



## xavi (Mar 10, 2016)

The problem might be that your outgoing UDP rule (00111) doesn't exactly mirror your incoming rule (00550). The keep-state rule option in the IPFW(8)() man page has the following explanation:

_Upon a match, the firewall will create a dynamic rule, whose default behaviour is to match bidirectional traffic between source and destination IP/port using the same protocol._

I'm wondering whether IPFW is treating the following two rules as having two separate protocols because the first one explicitly allows 'udp' while the second only implicitly allows udp via 'ip':

00111 allow *udp* from me to any dst-port 53 out via re0 keep-state
00550 allow *ip* from any to me dst-port 53 in via re0 setup keep-state

As a test can you add the two following rules and see if they let you query the DNS server?

00108 allow udp from any to any 53 in
00109 allow udp from any to any 53 out


----------

