Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Jan 2001 00:47:32 -0800 (PST)
From:      Gordon Tetlow <gordont@bluemtn.net>
To:        Trevin Chow <tmchow@sfu.ca>
Cc:        FreeBSD Stable <freebsd-stable@FreeBSD.ORG>
Subject:   Re: Can't Telnet but can SSH?
Message-ID:  <Pine.BSF.4.31.0101170041540.13539-100000@sdmail0.sd.bmarts.com>
In-Reply-To: <Pine.GSO.4.30.0101162047370.15128-100000@fraser.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 16 Jan 2001, Trevin Chow wrote:

> I think I'm having some problems with my firewall rules
> regarding telnet and it may have to do with my NS setup.
>
> 1) Whenever I try to telnet to 2 external hosts (my university and another
> host), I connect, and right before it displays the "login:" prompt,
> it says "Connection closed by foreign host".
>
> However, I can SSH to these same hosts.
>
> 2) I'm acting as my own NS for my domain.
>
> On my freebsd box, if I do an `nslookup` and `set type=SOA`, and
> enter my domain, everything is okay and it reports everything as expected.
>
> However, on an external system, if I do the same thing, it says:
> "can't find mydomain.com: Non-existent host/domain".
>
> It should also be noted that if I do a regular `nslookup` WITHOUT `set
> type=SOA`, then then it resolves to my correct IP on both internal and
> external boxes.
>
> Is there some type of firewall traffic that maybe I'm denying?
> I'm using a default deny based firewalling system and the onyl rule I have
> to allow DNS traffic in /etc/rc.firewall is:
>
> add pass udp from any to ${oip} 53
>
> Maybe I'm missing something?

The most obvious answer would be that the hosts don't allow telnet from
external networks (at least, I wouldn't).

You need to add some other rules for dns, here's mine:

allow tcp from any to ${oip} 53 setup
allow udp from any to ${oip} 53
allow udp from ${oip} 53 to any

Remember that DNS _can_ be tcp. Also, you need to allow both directions
for udp DNS otherwise it most definitly will not work. See below...

Also make sure your named.conf has the following line enabled:

options {
        query-source address * port 53;
};

At least, that's what I did. I hope it helps. YMMV.

-gordon



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0101170041540.13539-100000>