From owner-freebsd-ipfw Mon May 22 12:17:52 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (law-f195.hotmail.com [209.185.130.105]) by hub.freebsd.org (Postfix) with SMTP id ACD5537BB61 for ; Mon, 22 May 2000 12:17:33 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 61405 invoked by uid 0); 22 May 2000 19:17:33 -0000 Message-ID: <20000522191733.61404.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Mon, 22 May 2000 12:17:33 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-net@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Non-existent domain Date: Mon, 22 May 2000 12:17:33 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, O.K. gang I need your help on this one. I have a particular problem that I can't seem to solve on my own. Here's what's happening: I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything works fine for those on the LAN when browsing HTTP. DNS is also running on this machine as primary and I have a name server at the ISP as secondary. However, the problem is that when looking for the domain name "crcfx.com" out on the web, It's not seen. An error message comes up saying: "A network error occurred: Unable to connect to server. The server may be down or unreachable." Also, I don't get a proper response, from outside our LAN, when doing an 'nslookup stargate.crcfx.com', which has the primary DNS running locally. This is preventing us from putting other services on-line, such as 'HTTP' and 'SMTP'. I've talked to several sources (including my ISP), to no avail. There's lots of confusion all around. I have a suspicion my problem may stem from the way my zones are set up, or the firewall rules, but I'm not sure. Anyway, here are the details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ping 127.0.0.1 (loopback) ping 192.x.x.1 (inside interface) ping 63.x.x.218 (outside interface) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All show 0% packet loss. ~~~~~~~~~~~~~~~ 'rc.conf' says: ~~~~~~~~~~~~~~~ # This file now contains just the overrides from/etc/defaults/rc.conf # please make all changes to this file. # -- sysinstall generated deltas -- # ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" hostname="stargate.crcfx.com" linux_enable="YES" moused_enable="YES" gateway_enable="YES" defaultrouter="63.x.x.217" # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 firewall_enable="YES" firewall_type="simple" firewall_script="/etc/rc.firewall" inetd_enable="NO" sendmail_enable="NO" dumpdev=/dev/wd0s1b natd_enable="YES" natd_interface="pn0" named_enable="YES" ~~~~~~~~~~~~~~~~~~~ 'rc.firewall' says: ~~~~~~~~~~~~~~~~~~~ # set these to your outside interface network and netmask and ip oif="pn0" onet="63.x.x.216" omask="255.255.255.248" oip="63.x.x.218" # set these to your inside interface network and netmask and ip iif="fxp0" inet="192.x.x.0" imask="255.255.255.0" iip="192.x.x.1" # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow ICMP inside only #$fwcmd add deny icmp from any to any via ${oif} #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email #$fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW #$fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 $fwcmd add pass udp from ${inet}:${imask} to any 53 # Allow stuff to 192 net in from the outside, since we're # checking after NAT does the conversion $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi ~~~~~~~~~~~~~~~~~~~~~~~ 'whois crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~~~ Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CRCFX.COM Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: www.register.com Name Server: NS1.PBI.NET Name Server: STARGATE.CRCFX.COM Updated Date: 28-apr-200 >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. Access to register.com's WHOIS information is for informational purposes only. Register.com makes this information available "as is," and does not guarantee its accuracy. The compilation, repackaging, dissemination or other use of register.com's WHOIS information in its entirety, or a substantial portion thereof, is expressly prohibited without the prior written consent of register.com. By accessing and using our WHOIS information, you agree to these terms. Organization: Cinema Research Corp 6860 Lexington Ave Hollywood, CA 90038 US Registrar..: Register.com (http://www.register.com) Domain Name: CRCFX.COM Created on..............: Fri, Mar 24, 2000 Expires on..............: Sat, Mar 24, 2001 Record last updated on..: Fri, Apr 28, 2000 Administrative Contact: Smith, Ron ronnetron@hotmail.com 323-460-4111 Technical Contact, Zone Contact: Internic, Registrar internic-free@register.com 212-594-988 Domain servers in listed order: STARGATE.CRCFX.COM 63.x.x.218 NS1.PBI.NET 206.13.28.11 Register your domain name at http://www.register.com ~~~~~~~~~~~~~~~~~ ifconfig -a says: ~~~~~~~~~~~~~~~~~ fxp0: flags=8843 mtu 1500 inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 pn0: flags=8843 mtu 1500 inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'netstat -na crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) icmp 0 0 *.* *.* tcp 0 0 *.111 *.* LISTEN tcp 0 0 127.0.0.1.53 *.* LISTEN tcp 0 0 63.x.x.218.53 *.* LISTEN tcp 0 0 192.x.x.1.53 *.* LISTEN udp 0 0 *.111 *.* udp 0 0 *.1024 *.* udp 0 0 127.0.0.1.53 *.* udp 0 0 63.x.x.218.53 *.* udp 0 0 192.x.x.1.53 *.* udp 0 0 *.514 *.* ~~~~~~~~~~~~~~~~~~~~~ 'db.crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~ ; Definition of zone crcfx.com crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( 2000042901 ; Serial (date, two digits version of day) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400 ) ; minimum (1 day) ; name servers IN NS stargate.crcfx.com. IN NS ns1.pbi.net. IN NS ns2.pbi.net. stargate IN A 63.x.x.218 ns1.pbi.net. IN A 206.13.28.11 ns2.pbi.net. IN A 206.13.29.11 ~~~~~~~~~~~~~~~~~~~~~ 'crcfx-reverse' says: ~~~~~~~~~~~~~~~~~~~~~ @ IN SOA stargate.crcfx.com. root.crcfx.com. ( 2000042901 ; Serial (date, 2 digits version of day) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400 ) ; minimum (1 day) IN NS stargate.crcfx.com. IN NS ns1.pbi.net. IN NS ns2.pbi.net. 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. ~~~~~~~~~~~~~~~~~~~~~ 'localhost.rev' says: ~~~~~~~~~~~~~~~~~~~~~ ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 peter Exp $ ; ; This file is automatically edited by the `make-localhost' script in ; the /etc/namedb directory. ; @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( 2000042901 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 8640000 ; Expire (100 days) 86400 ) ; Minimum IN NS stargate.crcfx.com. 1 IN PTR localhost.crcfx.com. ~~~~~~~~~~~~~~~~~~~ 'resolv.conf' says: ~~~~~~~~~~~~~~~~~~~ domain crcfx.com nameserver 127.0.0.1 nameserver 192.x.x.1 nameserver 63.x.x.218 nameserver 206.13.28.11 nameserver 206.13.29.11 ~~~~~~~~~~~~~~~~~~ 'named.conf' says: ~~~~~~~~~~~~~~~~~~ options { directory "/etc/namedb"; forwarders { 206.13.28.11; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "crcfx.com" { type master; file "db.crcfx.com"; }; zone "0.x.192.IN-ADDR.ARPA" { type master; file "crcfx-reverse"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, This is a lot to swallow, but they are all the pertinent files, in regards to the problem. I would appreciate any feedback on how to get our local name server to do proper zone transfers to our upstream ISP, and to get a proper 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. TIA Ron ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message