From owner-freebsd-stable  Wed Jan 17  0:47:42 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from sdmail0.sd.bmarts.com (sdmail0.sd.bmarts.com [192.215.234.86])
	by hub.freebsd.org (Postfix) with SMTP id 1361837B400
	for <freebsd-stable@FreeBSD.ORG>; Wed, 17 Jan 2001 00:47:25 -0800 (PST)
Received: (qmail 17047 invoked by uid 1078); 17 Jan 2001 08:47:32 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 17 Jan 2001 08:47:32 -0000
Date: Wed, 17 Jan 2001 00:47:32 -0800 (PST)
From: Gordon Tetlow <gordont@bluemtn.net>
X-X-Sender:  <gordont@sdmail0.sd.bmarts.com>
To: Trevin Chow <tmchow@sfu.ca>
Cc: FreeBSD Stable <freebsd-stable@FreeBSD.ORG>
Subject: Re: Can't Telnet but can SSH?
In-Reply-To: <Pine.GSO.4.30.0101162047370.15128-100000@fraser.sfu.ca>
Message-ID: <Pine.BSF.4.31.0101170041540.13539-100000@sdmail0.sd.bmarts.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 16 Jan 2001, Trevin Chow wrote:

> I think I'm having some problems with my firewall rules
> regarding telnet and it may have to do with my NS setup.
>
> 1) Whenever I try to telnet to 2 external hosts (my university and another
> host), I connect, and right before it displays the "login:" prompt,
> it says "Connection closed by foreign host".
>
> However, I can SSH to these same hosts.
>
> 2) I'm acting as my own NS for my domain.
>
> On my freebsd box, if I do an `nslookup` and `set type=SOA`, and
> enter my domain, everything is okay and it reports everything as expected.
>
> However, on an external system, if I do the same thing, it says:
> "can't find mydomain.com: Non-existent host/domain".
>
> It should also be noted that if I do a regular `nslookup` WITHOUT `set
> type=SOA`, then then it resolves to my correct IP on both internal and
> external boxes.
>
> Is there some type of firewall traffic that maybe I'm denying?
> I'm using a default deny based firewalling system and the onyl rule I have
> to allow DNS traffic in /etc/rc.firewall is:
>
> add pass udp from any to ${oip} 53
>
> Maybe I'm missing something?

The most obvious answer would be that the hosts don't allow telnet from
external networks (at least, I wouldn't).

You need to add some other rules for dns, here's mine:

allow tcp from any to ${oip} 53 setup
allow udp from any to ${oip} 53
allow udp from ${oip} 53 to any

Remember that DNS _can_ be tcp. Also, you need to allow both directions
for udp DNS otherwise it most definitly will not work. See below...

Also make sure your named.conf has the following line enabled:

options {
        query-source address * port 53;
};

At least, that's what I did. I hope it helps. YMMV.

-gordon



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message