From owner-freebsd-isp Mon Dec 17 12:56:41 2001 Delivered-To: freebsd-isp@freebsd.org Received: from c003.snv.cp.net (c003-h000.c003.snv.cp.net [209.228.32.214]) by hub.freebsd.org (Postfix) with SMTP id 2374A37B41E for ; Mon, 17 Dec 2001 12:56:24 -0800 (PST) Received: (cpmta 28987 invoked from network); 17 Dec 2001 12:56:22 -0800 Received: from 216.227.100.85 (HELO vector) by smtp.telocity.com (209.228.32.214) with SMTP; 17 Dec 2001 12:56:22 -0800 X-Sent: 17 Dec 2001 20:56:22 GMT From: "Dustin Puryear" To: "Forrest W. Christian" Cc: Subject: RE: Public DNS server and FreeBSD firewall Date: Mon, 17 Dec 2001 15:04:31 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org gatekeeper# cat /etc/rc.conf|grep nat natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" gatekeeper# cat /etc/rc.conf | grep ifconfig ifconfig_nge0="inet 10.0.0.1 netmask 255.255.255.0" ifconfig_rl0="inet aa.aa.aa.aa netmask 255.255.255.192 media 10baseT/UTP" ifconfig_rl0_alias0="inet xx.xx.xx.xx netmask 255.255.255.192" ifconfig_rl0_alias1="inet yy.yy.yy.yy netmask 255.255.255.192" ifconfig_rl0_alias2="inet zz.zz.zz.zz netmask 255.255.255.192" gatekeeper# cat /etc/natd.conf redirect_address 10.0.0.20 xx.xx.xx.xx redirect_address 10.0.0.21 yy.yy.yy.yy redirect_address 10.0.0.5 zz.zz.zz.zz Regards, Dustin --- Dustin Puryear Information Systems Consultant http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams > -----Original Message----- > From: owner-freebsd-isp@FreeBSD.ORG > [mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of Forrest W. Christian > Sent: Sunday, December 16, 2001 1:43 AM > To: Dustin Puryear > Cc: freebsd-isp@FreeBSD.ORG > Subject: Re: Public DNS server and FreeBSD firewall > > > What is your nat configured as? > > The problem is probably in your natd.conf file. > > On Sun, 16 Dec 2001, Dustin Puryear wrote: > > > Date: Sun, 16 Dec 2001 01:13:14 -0600 > > From: Dustin Puryear > > To: freebsd-isp@FreeBSD.ORG > > Subject: Public DNS server and FreeBSD firewall > > > > I am setting up a public DNS server and having a bit of a > problem figuring > > out why it cannot query outside of our network. I am using FreeBSD > > 4.4-RELEASE on both the DNS server and firewall. Basically, > when I try to > > resolve a host outside of my network the local named times out: > > > > Server: XXXXX.com > > Address: 10.0.0.5 > > > > *** XXXXXX.com can't find www.cdrom.com: Non-existent > host/domain > > > www.google.com > > Server: XXXXX.com > > Address: 10.0.0.5 > > > > *** XXXX.com can't find www.google.com: Non-existent host/domain > > > > > > > I can't figure out why, and darn if I am not getting any denied > packet log > > entries in /var/log/security on the firewall. I am using static > NAT, with my > > DNS server having the internal address 10.0.0.5, but an > external address of > > aa.bb.cc.dd. The ipfw entries that appear relevant are: > > > > # internal DNS.. > > 03000 allow udp from ww.xx.yy.zz to any 53 keep-state > > 03100 allow tcp from ww.xx.yy.zz to any 53 keep-state > > # this is the public DNS server.. > > 03200 allow udp from aa.bb.cc.dd to any 53 keep-state > > 03300 allow tcp from aa.bb.cc.dd to any 53 keep-state > > > > This should allow my name servers to access any outside name > servers right? > > I even get dynamic rules that indicate some type of connection is being > > attempted: > > > > 03200 0 0 (T 29, # 91) ty 0 udp, aa.bb.cc.dd 1196 <-> 66.135.0.10 53 > > > > Despite this entry the local named still times out. The wierd > thing is that > > the named running on the firewall, ww.xx.yy.zz (internal > 10.0.0.1), works. > > But the named running on aa.bb.cc.dd (10.0.0.5) doesn't. > > > > Note, the entire ruleset follows if you need more information: > > > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 allow ip from any to any via nge0 > > 00500 deny ip from 10.0.0.0/24 to any in recv rl0 > > 00600 deny ip from public-network-XXX/26 to any in recv nge0 > > 00700 deny ip from any to 10.0.0.0/8 via rl0 > > 00800 deny ip from any to 172.16.0.0/12 via rl0 > > 00900 deny ip from any to 192.168.0.0/16 via rl0 > > 01000 deny ip from any to 0.0.0.0/8 via rl0 > > 01100 deny ip from any to 169.254.0.0/16 via rl0 > > 01200 deny ip from any to 192.0.2.0/24 via rl0 > > 01300 deny ip from any to 224.0.0.0/4 via rl0 > > 01400 deny ip from any to 240.0.0.0/4 via rl0 > > 01500 divert 8668 ip from any to any via rl0 > > 01600 deny ip from 10.0.0.0/8 to any via rl0 > > 01700 deny ip from 172.16.0.0/12 to any via rl0 > > 01800 deny ip from 192.168.0.0/16 to any via rl0 > > 01900 deny ip from 0.0.0.0/8 to any via rl0 > > 02000 deny ip from 169.254.0.0/16 to any via rl0 > > 02100 deny ip from 192.0.2.0/24 to any via rl0 > > 02200 deny ip from 224.0.0.0/4 to any via rl0 > > 02300 deny ip from 240.0.0.0/4 to any via rl0 > > 02400 allow tcp from any to any established > > 02500 allow ip from any to any frag > > 02800 allow tcp from any to any 22 keep-state > > 02900 allow icmp from any to any keep-state > > 03000 deny log logamount 10 tcp from any to any in recv rl0 setup > > 03100 allow tcp from any to any setup > > 03200 allow udp from ww.xx.yy.zz to any 53 keep-state > > 03300 allow tcp from ww.xx.yy.zz to any 53 keep-state > > 03400 allow udp from aa.bb.cc.dd to any 53 keep-state > > 03500 allow tcp from aa.bb.cc.dd to any 53 keep-state > > 65535 deny ip from any to any > > > > Regards, Dustin > > > > --- > > Dustin Puryear > > Information Systems Consultant > > http://members.telocity.com/~dpuryear > > In the beginning the Universe was created. > > This has been widely regarded as a bad move. - Douglas Adams > > > > > > > -----Original Message----- > > > From: Gabriel Ambuehl [mailto:gabriel_ambuehl@buz.ch] > > > Sent: Tuesday, December 11, 2001 12:15 PM > > > To: Dustin Puryear > > > Cc: isp@freebsd.org > > > Subject: Re[10]: Using DNAT and DNS round-robin > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > Hello Dustin, > > > > > > Tuesday, December 11, 2001, 6:29:35 PM, you wrote: > > > > Yes, that is what I eventually found out. Apparently, unless you > > > > have some type of special gear, you cannot do IP-based virtual > > > > hosting in a > > > > load-sharing or -balancing environment. Now, doing HA might not be > > > > too much work depending on what your requirements for switch over > > > > time are. > > > > > > <10s is doable with standard gear. <1s is quite a bit harder but > > > perhaps still doable. > > > > > > >> That's nice. I wished I were in the same situation... > > > > Yes, it is nice. I have yet to do work for a company providing web > > > > hosting to consumers, but I can see how it would have some real > > > > challenges. But it > > > > > > It certainly has. > > > > > > > synchronization issue. NAS being one. A second is using a few > > > > "shell" servers that automatically get replicated to your web > > > > servers seems to be another. > > > > > > I've been thinking about that approach too, but it doesn't buy you > > > much since there are still that morons that use the FS as DB... > > > > > > >> Squid should do the job too, more flexibly, but probably slower. > > > > I played with Squid and it works nicely. Indeed, I liked the fact > > > > that with Squid I can make my web cluster disappear from outsiders > > > > and use Squid as a reverse proxy. However, since we dropped the > > > > requirement for IP-based virtual hosting the point is moot. We will > > > > be using just a standard configuration where we will DNS > > > > round-robin between web servers. > > > > > > That's the easiest approach, of course. OTOH, I haven't got a very > > > high opinion of DNS round robin since it essentially still lets the > > > remote client fuck it up... > > > > > > > > > > > > > > > Best regards, > > > Gabriel > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 6.5i > > > > > > iQEVAwUBPBY/HcZa2WpymlDxAQFoUQgAuCZrFy8u5EILeyiLBgjtLuRVcLhX8ItT > > > 3LfKOnw2ve513rx4F6gT9nVNrapH4jWYtidrBla4Z8xtH3N6Yem9r53To6xCqYpd > > > GMxv8RZdxuZtXCV92CnDxeKGIZ89nPBPFAsC6sQkDPX3jThf9+t6jI59J9rroqq+ > > > rwP63//vR8Pq63//Q7Lc7/TgAE6jJHs0nAXadiq1mUSwFZVF+nUgPYU3BnN9iyud > > > 7CLLxYnArXguGZRx2wfdskPiZ7ZCSl5mC78kUimTDHLXrV2VofyzjIJWBcWyMzNA > > > d9fo9b9OtDKRj3Hnvj5MpDjJySaxDBsyY15NaecYlAVazQIWuRMUyQ== > > > =5dpk > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > - Forrest W. Christian (forrestc@imach.com) AC7DE > ---------------------------------------------------------------------- > The Innovation Machine Ltd. P.O. Box 5749 > http://www.imach.com/ Helena, MT 59604 > Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 > ---------------------------------------------------------------------- > Protect your personal freedoms - visit http://www.lp.org/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message