Subject: Re: ipf ruleset causing named shutout
To: Keith Parker <kparker4@midsouth.rr.com>
From: None <netbsd@purk.ee>
List: netbsd-help
Date: 12/06/2003 22:50:47
Hi,
If this box acting as router (local network), you may want add at the top of
ipf.conf
pass out log quick on ex0 proto tcp from any to any keep state
pass out log quick on ex0 proto udp from any to any keep state
blocking goes here
About BIND:
/etc/resolv.conf
---------------------------------
search yourdomain.com
nameserver 127.0.0.1
lookup file bind
---------------------------------
Greetings
Tsiteerin Keith Parker <kparker4@midsouth.rr.com>:
> Hi all,
>
> Forgive me if this is a second time post. I show it as having been sent
> yesterday, but I haven't seen it appear in my inbox or on the list archives
> yet. I've had some problems with my ISPs mail servers the past few days
> and am assuming that it never left. The interim gave me a little time to
> clean up my previous post anyway.
>
> I'm trying to setup DNS and have hit an impass - but not in the
> configuration of named, zone files, etc. That's all working great as far as
> I can tell. Except for the fact that I can't resolve external names when
> my firewall is enabled. From the info provided below, I'm assuming the
> problem lies not with BIND but with my ipf ruleset. I still cloudy on ipf
> rules, but here's as close as I can get:
>
> Here's my purpose:
> ----------------------------
> To set up a server (probably 2 - one for mail/dns and one for web/dns) for
> a friend to perform the following:
> 1) web server for several non-profit domains (I'm OK with the virtual host
> stuff in Apache after reading some good docs)
> 2) mail server for the virtually hosted domains (I've checked out the
> Postfix book from O'Reilly's Safari Online Bookshelf, and think this will
> be OK)
> 3) dns server (http://www.muine.org/~hoang/dns.html and I checked out DNS
> and BIND 4th edition from OReilly's Safari Online Bookshelf).
>
> *Just a personal aside to other newbies: If you want to get a "big picture"
> look at DNS, and a "specific look" at BIND, I would read this book. It's
> an intimidating title with very accessible content.
>
> Here's my setup:
> -------------------------
> He has a static IP at his disposal. He also wants me to setup his own
> nameservers.
>
> I'm starting off with one server that does it all, but am taking advice I
> got from an earlier post on the list and will be splitting things off into
> 2 servers. My friend has been recycling donated computers for non-profits
> for years (for free, no less) and has access to adequate machines.
>
> I've been setting things up on my system first. Here goes:
> I have a domain name (network.net, for example) assigned to my static IP.
>
> In the box, I've got 2 NICs
> rtk0 = oak.network.net = 192.168.1.1 = primary and only (for the moment)
> nameserver.
> ex0 = 24.56.x.x assigned to NIC standing between me and the rest of the
> world.
>
> Before I began testing named, I was using my ISP's nameservers.
> /etc/resolv.conf looked like this:
> nameserver 24.165.200.35
> nameserver 24.165.200.40
>
> I had a couple of rules that explicitly passed in DNS replies from my ISP's
> nameservers.
> /etc/ipf.conf
> [snip]
> pass in on ex0 proto udp from 24.165.200.35 port = 53 to any
> pass in on ex0 proto udp from 24.165.200.40 port = 53 to any
> [snip]
>
> (If the complete ipf.conf would help, then I'll send. I just figured since
> it was specific to that tiny subset, I'd cut out the fluff.)
>
> Once I cranked up named with my master set for 191.68.1.1 (oak.network.net)
> I couldn't ping external domain names. That much makes sense (at least I
> think so), because there's no explicit rule to pass port 53 traffic from
> 192.168.1.1 to anywhere, and there has to be a "block all the stuff"
> statement somewhere else is stopping it.
>
> Sure enough. when I allow all traffic in and out in ipf.conf and am no
> longer filtering packets, I'm pinging external names all over the place.
> my /etc/resolve.conf just says:
> domain network.net
> nameserver 192.168.1.1
>
> It looks to me like my DNS is working (after several typo corrections) as
> far as resolving external name requests made from within my network - as
> long as the firewall is wide open. I have not yet gotten into publishing
> the DNS servers yet.
>
> This seems like it should be simple, but I can't seem to get it.
>
> How can I allow udp requests and replies on port 53 to pass from rtk0 to
> ex0 and thus out to the world and back again? Is that even where the
> solution lies? Where does the sun go when it rains?
>
> I've got some fundamental gaps in my networking knowledge that I find
> irritating. My background is in a vertical market, character based DOS
> world of serial terminals, modems and multiport boards. A couple of years
> ago, we switched to Linux, but the subset of things I've dealt with is
> pretty limited.
>
> I'm hoping that I'm not asking the kind of question that betrays such a
> fundamental misunderstanding of things that there's no way to begin to
> reply I hate those. ;-)
>
> Thanks
>
>
----------------------------------------------------------------
Powered By "NetBSD" http://www.netbsd.org