Subject: ipf ruleset causing named shutout
To: None <netbsd-help@netbsd.org>
From: Keith Parker <kparker4@midsouth.rr.com>
List: netbsd-help
Date: 12/06/2003 14:29:17
Hi all,

Forgive me if this is a second time post.  I show it as having been sent 
yesterday, but I haven't seen it appear in my inbox or on the list archives 
yet.  I've had some problems with my ISPs mail servers the past few days 
and am assuming that it never left.  The interim gave me a little time to 
clean up my previous post anyway.

I'm trying to setup DNS and have hit an impass - but not in the 
configuration of named, zone files, etc. That's all working great as far as 
I can tell.  Except for the fact that I can't resolve external names when 
my firewall is enabled.  From the info provided below, I'm assuming the 
problem lies not with BIND but with my ipf ruleset.  I still cloudy on ipf 
rules, but here's as close as I can get:

Here's my purpose:
----------------------------
To set up a server (probably 2 - one for mail/dns and one for web/dns) for 
a friend to perform the following:
1) web server for several non-profit domains (I'm OK with the virtual host 
stuff in Apache after reading some good docs)
2) mail server for the virtually hosted domains (I've checked out the 
Postfix book from O'Reilly's Safari Online Bookshelf, and think this will 
be OK)
3) dns server (http://www.muine.org/~hoang/dns.html and I checked out DNS 
and BIND 4th edition from OReilly's Safari Online Bookshelf).

*Just a personal aside to other newbies: If you want to get a "big picture" 
look at DNS, and a "specific look" at BIND, I would read this book.  It's 
an intimidating title with very accessible content.

Here's my setup:
-------------------------
He has a static IP at his disposal.  He also wants me to setup his own 
nameservers.

I'm starting off with one server that does it all, but am taking advice I 
got from an earlier post on the list and will be splitting things off into 
2 servers.  My friend has been recycling donated computers for non-profits 
for years (for free, no less) and has access to adequate machines.

I've been setting things up on my system first.  Here goes:
I have a domain name (network.net, for example) assigned to my static IP.

In the box, I've got 2 NICs
rtk0 = oak.network.net = 192.168.1.1 = primary and only (for the moment) 
nameserver.
ex0 = 24.56.x.x assigned to NIC standing between me and the rest of the world.

Before I began testing named, I was using my ISP's nameservers.
/etc/resolv.conf looked like this:
nameserver 24.165.200.35
nameserver 24.165.200.40

I had a couple of rules that explicitly passed in DNS replies from my ISP's 
nameservers.
/etc/ipf.conf
[snip]
pass in on ex0 proto udp from 24.165.200.35 port = 53 to any
pass in on ex0 proto udp from 24.165.200.40 port = 53 to any
[snip]

(If the complete ipf.conf would help, then I'll send.  I just figured since 
it was specific to that tiny subset, I'd cut out the fluff.)

Once I cranked up named with my master set for 191.68.1.1 (oak.network.net) 
I couldn't ping external domain names.  That much makes sense (at least I 
think so), because there's no explicit rule to pass port 53 traffic from 
192.168.1.1 to anywhere, and there has to be a "block all the stuff" 
statement somewhere else is stopping it.

Sure enough. when I allow all traffic in and out in ipf.conf and am no 
longer filtering packets, I'm pinging external names all over the place.
my /etc/resolve.conf just says:
domain network.net
nameserver 192.168.1.1

It looks to me like my DNS is working (after several typo corrections) as 
far as resolving external name requests made from within my network - as 
long as the firewall is wide open.  I have not yet gotten into publishing 
the DNS servers yet.

This seems like it should be simple, but I can't seem to get it.

How can I allow udp requests and replies on port 53 to pass from rtk0 to 
ex0 and thus out to the world and back again?  Is that even where the 
solution lies?  Where does the sun go when it rains?

I've got some fundamental gaps in my networking knowledge that I find 
irritating.  My background is in a vertical market, character based DOS 
world of serial terminals, modems and multiport boards.  A couple of years 
ago, we switched to Linux, but the subset of things I've dealt with is 
pretty limited.

I'm hoping that I'm not asking the kind of question that betrays such a 
fundamental misunderstanding of things that there's no way to begin to 
reply  I hate those. ;-)

Thanks