From owner-freebsd-questions Sun Sep 17 18:43:55 2000 Delivered-To: freebsd-questions@freebsd.org Received: from [208.200.134.24] (chicago.reveregroup.com [208.200.134.24]) by hub.freebsd.org (Postfix) with SMTP id 08E4B37B422 for ; Sun, 17 Sep 2000 18:43:51 -0700 (PDT) Received: from MAIN by [208.200.134.24] via smtpd (for hub.FreeBSD.org [216.136.204.18]) with SMTP; 18 Sep 2000 01:43:51 UT Received: by main.reveregroup.com(Lotus SMTP MTA v4.6.6 (890.1 7-16-1999)) id 8625695E.00095664 ; Sun, 17 Sep 2000 20:41:59 -0500 X-Lotus-FromDomain: REVERE From: mgruver@reveregroup.com To: freebsd-questions@freebsd.org Cc: jan@smartsoft.cc Message-ID: <8625695E.00095491.00@main.reveregroup.com> Date: Sun, 17 Sep 2000 21:40:15 -0400 Subject: Re: I think I have a DNS caching problem... Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jan, Thank you so much for your response. Actually I have Greg Lehey's excellent book (I bought the whole BSDi Powerpak). And believe me, it gets better by the day (the more I understand it's wisdom). In fact, I attempted the road you suggested first (before I went the tinyproxy route), however when I rebooted after recompiling and Kernel and adding the rc.conf natd and firewall variables, all IP communication to and from the server ceased. I could not ping it, and I could not ping out by DNS name or IP. The old "unknown host" deal. Now, one thing I did not try was the custom firewall_type=/etc/ipfw.conf you suggested. I had already tried direct rules in the rc.conf and passing the "open" parm to the firewall_type. No joy. I agree with your first statement though. The more I work with this thing the less and less it appears to be a DNS thing. And you are right, I do want to use my ISPs DNS server and not my own (I think). I think I may give the ipfw.conf thing a try. BTW, I am feeling pretty Kneppie! Mike ------------------------------------------------------ jan@smartsoft.cc wrote: What you have does not sound to me like a DNS caching problem. Starting 'named' does not make much sence if you are not doing your own DNS as far as I can tell. What you need to do it setup NAT (Network Address Translation). In case you have the book "The Complete FreeBSD" by Greg Lehey, I suggest you go to page 506 and futher. In case you don't... Buy it! It's worth it! But I will give you in short what to do: 1. Configure kernel with: options IPFIREWALL options IPDIVERT 2. Make sure your system is running as gateway: /etc/rc.conf defaultrouter="a.b.c.d" # IP of Cable modem?! gateway_enable="YES" 3. Make sure your interface(s) are running. ifconfig -a ??? 4. Make sure you have the following entry in /etc/services: natd 8668/divert # Network Address Translation 5. Make sure your firewall is setup as in /etc/rd.conf firewall_enable="YES" firewall_type=/etc/ipfw.conf 6. Make /etc/ipfw.conf add 100 divert natd all from any to any via add 200 pass all from any to any 7. Enable NAT in /etc/rc.conf: natd_enable="YES" natd_interface=" REBOOT! (with a kernel with IPFIREWALL!) HTH Don't worry, be Kneppie! Jan ---------------------------------------------- mgruver@reveregroup.com wrote: > I am a FreeBSD Newbie who recently installed Version 4.4 on a small server. I > am using it as a dual-homed host?, or gateway?, or NAT/Firewall for a LAN in my > home. I installed 4.4 pretty bare-bones on a Pentium 90 with two ethernet cards > in it. One was connected to my Road Runner Motorola cable modem and configured > for DHCP. The other was connected into the hub and given a 192.168.x.x > non-routable. > > I edited the /etc/rc.conf with vi to verify the gateway_enabled="YES" and > natd_enabled="YES" and natd_interface=dc0 (yes is is a cheat Netgear card but > the other one is a 3Com!). I specifically did not enable the firewall keywords > or recompile the Kernel with the IPFIREWALL IPDIVERT options. I had a bad > experience over the past few weeks with that (which I won't go into). > > I edited the /etc/hosts file (which after additional experimentation I don't > think I needed to do that) and went back to the /stand/sysinstall and loaded a > little goody I found in /usr/local/sbin/tinyproxy -a Host: -a Authorization: and > had a working http proxy server for my Windows 9X systems in the house (they all > work after setting the proxy setting in IE with the 192.168.x.x IP of the server > and the port to 8080). > > However, the problem is DNS name queries (I hope I am using the correct term > here) fail from inside the LAN. I can ping hosts by name (www.interland.com) > from the server, however I can't from the Windows boxes inside. > > I started the named daemon (with no options) but that hasn't helped. > > BTW, my paltry FreeBSD server/config has already resisted three (3) seperate > intrusion attempts in less than 24 hours! > > Any ideas?... > > Thanks, > > mgruver@reveregroup.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Jan Knepper Smartsoft, LLC 88 Petersburg Road Petersburg, NJ 08270 U.S.A. http://www.smartsoft.cc/ http://www.mp3.com/pianoprincess Phone : 609-628-4260 FAX : 609-628-1267 FAX : 303-845-6415 http://www.fax4free.com/ Phone : 020-873-3837 http://www.xoip.nl/ (Dutch) FAX : 020-873-3837 http://www.xoip.nl/ (Dutch) In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message