Date: Sun, 16 Dec 2001 00:42:49 -0700 (MST) From: "Forrest W. Christian" <forrestc@imach.com> To: Dustin Puryear <dpuryear@usa.net> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Public DNS server and FreeBSD firewall Message-ID: <Pine.BSF.4.21.0112160042110.4527-100000@workhorse.iMach.com> In-Reply-To: <PGECILGGNJGDPJKLFEMIKELFCJAA.dpuryear@usa.net>
next in thread | previous in thread | raw e-mail | index | archive | help
What is your nat configured as? The problem is probably in your natd.conf file. On Sun, 16 Dec 2001, Dustin Puryear wrote: > Date: Sun, 16 Dec 2001 01:13:14 -0600 > From: Dustin Puryear <dpuryear@usa.net> > To: freebsd-isp@FreeBSD.ORG > Subject: Public DNS server and FreeBSD firewall > > I am setting up a public DNS server and having a bit of a problem figuring > out why it cannot query outside of our network. I am using FreeBSD > 4.4-RELEASE on both the DNS server and firewall. Basically, when I try to > resolve a host outside of my network the local named times out: > > Server: XXXXX.com > Address: 10.0.0.5 > > *** XXXXXX.com can't find www.cdrom.com: Non-existent host/domain > > www.google.com > Server: XXXXX.com > Address: 10.0.0.5 > > *** XXXX.com can't find www.google.com: Non-existent host/domain > > > > I can't figure out why, and darn if I am not getting any denied packet log > entries in /var/log/security on the firewall. I am using static NAT, with my > DNS server having the internal address 10.0.0.5, but an external address of > aa.bb.cc.dd. The ipfw entries that appear relevant are: > > # internal DNS.. > 03000 allow udp from ww.xx.yy.zz to any 53 keep-state > 03100 allow tcp from ww.xx.yy.zz to any 53 keep-state > # this is the public DNS server.. > 03200 allow udp from aa.bb.cc.dd to any 53 keep-state > 03300 allow tcp from aa.bb.cc.dd to any 53 keep-state > > This should allow my name servers to access any outside name servers right? > I even get dynamic rules that indicate some type of connection is being > attempted: > > 03200 0 0 (T 29, # 91) ty 0 udp, aa.bb.cc.dd 1196 <-> 66.135.0.10 53 > > Despite this entry the local named still times out. The wierd thing is that > the named running on the firewall, ww.xx.yy.zz (internal 10.0.0.1), works. > But the named running on aa.bb.cc.dd (10.0.0.5) doesn't. > > Note, the entire ruleset follows if you need more information: > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow ip from any to any via nge0 > 00500 deny ip from 10.0.0.0/24 to any in recv rl0 > 00600 deny ip from public-network-XXX/26 to any in recv nge0 > 00700 deny ip from any to 10.0.0.0/8 via rl0 > 00800 deny ip from any to 172.16.0.0/12 via rl0 > 00900 deny ip from any to 192.168.0.0/16 via rl0 > 01000 deny ip from any to 0.0.0.0/8 via rl0 > 01100 deny ip from any to 169.254.0.0/16 via rl0 > 01200 deny ip from any to 192.0.2.0/24 via rl0 > 01300 deny ip from any to 224.0.0.0/4 via rl0 > 01400 deny ip from any to 240.0.0.0/4 via rl0 > 01500 divert 8668 ip from any to any via rl0 > 01600 deny ip from 10.0.0.0/8 to any via rl0 > 01700 deny ip from 172.16.0.0/12 to any via rl0 > 01800 deny ip from 192.168.0.0/16 to any via rl0 > 01900 deny ip from 0.0.0.0/8 to any via rl0 > 02000 deny ip from 169.254.0.0/16 to any via rl0 > 02100 deny ip from 192.0.2.0/24 to any via rl0 > 02200 deny ip from 224.0.0.0/4 to any via rl0 > 02300 deny ip from 240.0.0.0/4 to any via rl0 > 02400 allow tcp from any to any established > 02500 allow ip from any to any frag > 02800 allow tcp from any to any 22 keep-state > 02900 allow icmp from any to any keep-state > 03000 deny log logamount 10 tcp from any to any in recv rl0 setup > 03100 allow tcp from any to any setup > 03200 allow udp from ww.xx.yy.zz to any 53 keep-state > 03300 allow tcp from ww.xx.yy.zz to any 53 keep-state > 03400 allow udp from aa.bb.cc.dd to any 53 keep-state > 03500 allow tcp from aa.bb.cc.dd to any 53 keep-state > 65535 deny ip from any to any > > Regards, Dustin > > --- > Dustin Puryear <dpuryear@usa.net> > Information Systems Consultant > http://members.telocity.com/~dpuryear > In the beginning the Universe was created. > This has been widely regarded as a bad move. - Douglas Adams > > > > -----Original Message----- > > From: Gabriel Ambuehl [mailto:gabriel_ambuehl@buz.ch] > > Sent: Tuesday, December 11, 2001 12:15 PM > > To: Dustin Puryear > > Cc: isp@freebsd.org > > Subject: Re[10]: Using DNAT and DNS round-robin > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hello Dustin, > > > > Tuesday, December 11, 2001, 6:29:35 PM, you wrote: > > > Yes, that is what I eventually found out. Apparently, unless you > > > have some type of special gear, you cannot do IP-based virtual > > > hosting in a > > > load-sharing or -balancing environment. Now, doing HA might not be > > > too much work depending on what your requirements for switch over > > > time are. > > > > <10s is doable with standard gear. <1s is quite a bit harder but > > perhaps still doable. > > > > >> That's nice. I wished I were in the same situation... > > > Yes, it is nice. I have yet to do work for a company providing web > > > hosting to consumers, but I can see how it would have some real > > > challenges. But it > > > > It certainly has. > > > > > synchronization issue. NAS being one. A second is using a few > > > "shell" servers that automatically get replicated to your web > > > servers seems to be another. > > > > I've been thinking about that approach too, but it doesn't buy you > > much since there are still that morons that use the FS as DB... > > > > >> Squid should do the job too, more flexibly, but probably slower. > > > I played with Squid and it works nicely. Indeed, I liked the fact > > > that with Squid I can make my web cluster disappear from outsiders > > > and use Squid as a reverse proxy. However, since we dropped the > > > requirement for IP-based virtual hosting the point is moot. We will > > > be using just a standard configuration where we will DNS > > > round-robin between web servers. > > > > That's the easiest approach, of course. OTOH, I haven't got a very > > high opinion of DNS round robin since it essentially still lets the > > remote client fuck it up... > > > > > > > > > > Best regards, > > Gabriel > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGP 6.5i > > > > iQEVAwUBPBY/HcZa2WpymlDxAQFoUQgAuCZrFy8u5EILeyiLBgjtLuRVcLhX8ItT > > 3LfKOnw2ve513rx4F6gT9nVNrapH4jWYtidrBla4Z8xtH3N6Yem9r53To6xCqYpd > > GMxv8RZdxuZtXCV92CnDxeKGIZ89nPBPFAsC6sQkDPX3jThf9+t6jI59J9rroqq+ > > rwP63//vR8Pq63//Q7Lc7/TgAE6jJHs0nAXadiq1mUSwFZVF+nUgPYU3BnN9iyud > > 7CLLxYnArXguGZRx2wfdskPiZ7ZCSl5mC78kUimTDHLXrV2VofyzjIJWBcWyMzNA > > d9fo9b9OtDKRj3Hnvj5MpDjJySaxDBsyY15NaecYlAVazQIWuRMUyQ== > > =5dpk > > -----END PGP SIGNATURE----- > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > - Forrest W. Christian (forrestc@imach.com) AC7DE ---------------------------------------------------------------------- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/ Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 ---------------------------------------------------------------------- Protect your personal freedoms - visit http://www.lp.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112160042110.4527-100000>