# Why is this block happening?



## chavez243ca (Apr 5, 2013)

IPFW rule set snippet:


```
# allow dns to function
$cmd 00430 permit tcp from $ip to any 53 out via $pif setup keep-state
$cmd 00431 permit udp from $ip to any 53 out via $pif keep-state
$cmd 00432 permit udp from $csgnet to $ip 53 in via $pif $ks
$cmd 00433 permit tcp from $csgnet to $ip 53 in via $pif setup $ks

# deny and log all other inbound traffic
$cmd 60999 deny log all from any to any in via $pif

$cmd 65530 deny log ip from any to any
```

Yet I am seeing this occasionally in /var/log/security:


```
Apr  5 13:23:22 server kernel: ipfw: 65530 Deny UDP 10.100.31.12:53 10.0.0.41:49945 out via em0
Apr  5 13:23:22 server kernel: ipfw: 65530 Deny UDP 10.100.31.12:53 10.0.0.40:60427 out via em0
Apr  5 13:23:36 server kernel: ipfw: 65530 Deny UDP 10.100.31.12:53 10.0.0.41:50655 out via em0
```

This host is a DNS server - and from what I can tell, it is working for the most part. When those denials occur, I also get the following in /var/log/messages:


```
Apr  5 13:45:08 server named[67638]: client 10.0.0.40#61838: error sending response: permission denied
Apr  5 13:45:08 server named[67638]: client 10.0.0.40#59771: error sending response: permission denied
Apr  5 13:45:09 server named[67638]: client 10.0.0.41#50432: error sending response: permission denied
```

I know what rule is doing the denial, but I'm wonder how the packet is getting to there without matching the earlier permit rules. This rule set has no skipto rules.


----------



## krzysiekb81 (Jul 14, 2013)

Hi

Does $ip match 10.100.31.12 and is $pif em0? Does 10.0.0.40 and 10.0.0.41 match $csgnet?


----------



## chavez243ca (Jul 15, 2013)

Sorry, should have marked as solved - switched to PF and all is well.


----------

