netbsd-help: Re: named inside firewall

Subject: Re: named inside firewall
To: Henry Nelson <henry@irm.nara.kindai.ac.jp>
From: None <collver@softhome.net>
List: netbsd-help
Date: 12/12/2000 20:34:52
On Wed, Dec 13, 2000 at 01:19:31PM +0900, Henry Nelson wrote:
> > > Since moving my name server inside a firewall, I can no longer
> > > do lookups on other clients inside the firewall, while lookup
> > > requests originating from outside the firewall work fine.  The
> [...]
> > > or ftp I get: "Host name lookup failure."  Somewhat unique about
> > > the ipf/ipnat box is that its external nic has two IPs.  The one
> > > that is an alias is the name server.
> > > 
> > > /etc/ipnat.conf looks like:
> > > map ep0 192.168.2.0/24 -> aaa.bbb.ccc.21/32 proxy port ftp ftp/tcp
> > > map ep0 192.168.2.0/24 -> aaa.bbb.ccc.21/32 portmap tcp/udp 40000:60000
> > > map ep0 192.168.2.0/24 -> aaa.bbb.ccc.21/32
> > > rdr ep0 aaa.bbb.ccc.21/0 port 80 -> 192.168.2.21 port 80 tcp/udp
> > > rdr ep0 aaa.bbb.ccc.149/0 port 53 -> 192.168.2.149 port 53 tcp/udp
> > > 
> > > /etc/ifconfig.ep0 looks like:
> > > aaa.bbb.ccc.21 netmask 0xffffff00
> > > aaa.bbb.ccc.149 netmask 0xffffffff alias
> 
> Thank you very much for the response.
> 
> > Is the IP of the internal NIC is used as the default gateway (the router)
> > for the internal clients?
> 
> Yes.  It's 192.168.2.1.
> 
> > Try 'ping -n ' on an external IP address from one of the clients.
> 
> If /etc/resolv.conf has aaa.bbb.ccc.149 as the only name server, ping
> fails with "Cannot resolve "www.kyoto-u.ac.jp" (Host name lookup failure)."
> If I set a name server external to the firewall, ping and other programs
> work fine with external IPs.

In NetBSD, -n prevents ping from looking up the name.
The options vary, I think Windows 9x uses -d instead of -n

> 
> > Will the internal clients use aaa.bbb.ccc.149 or
> > 192.168.2.149 as the DNS server?
> 
> I wasn't sure what you meant by this.  If I set /etc/resolv.conf to use
> 192.168.2.149 only, nslookup will hang, i.e., timeout rather than fail as it
> does with aaa.bbb.ccc.149.  Neither aaa.bbb.ccc.149 or 192.168.2.149 (same
> physical machine) work, if that is what you meant.  aaa.bbb.ccc.201 works.

From your post:
rdr ep0 aaa.bbb.ccc.149/0 port 53 -> 192.168.2.149 port 53 tcp/udp

My interpretation:
You have a name server running on 192.168.2.149 (on the internal network).
You are redirecting external queries at aaa.bbb.ccc.149 to 192.168.2.149

Based on my interpretation:
It would be a good idea to make sure your client machine can ping -n
192.168.2.149, and then make sure your client can use 192.168.2.149 as a
nameserver.  If it can't, the problem is in the routing, named
configuration, or the client configuration.  (gee, sure narrowed that
down).

> 
> > Could you post the output of 'netstat -nr'?
> 
> It's a pretty busy LAN so I've edited out the various unrelated PCs.  The
> following is the output of the firewall (i586 running NetBSD1.4.2/i386).
> Destination         Gateway            Flags     Refs     Use    Mtu  Interface
> default            aaa.bbb.ccc.254     UGS         0    77421      -  ep0
> 127.0.0.1           127.0.0.1          UH          1       24      -  lo0
> aaa.bbb.ccc/24      link#1             UC          0        0      -  ep0
> aaa.bbb.ccc.149     00:10:5a:7c:38:c4  UHL         0     1404      -  lo0 =>
> aaa.bbb.ccc.149/32  link#1             UC          0        0      -  ep0
> aaa.bbb.ccc.201     08:00:20:9f:9d:d3  UHL         0       25      -  ep0
> aaa.bbb.ccc.254     00:e0:2b:65:12:00  UHL         1        0      -  ep0
> 192.168.2           link#2             UC          0        0      -  fxp0
> 192.168.2.12        00:90:cc:10:6e:97  UHL         0       21      -  fxp0
> 192.168.2.149       08:00:20:0f:de:94  UHL         1       46      -  fxp0
> 
> aaa.bbb.ccc.201 is the machine outside of the firewall running bind which
> the internal clients can reach.  aaa.bbb.ccc.254 is the gateway to the
> Internet.  My intent was to have aaa.bbb.ccc.149 and 192.168.2.149 represent
> the same machine (old Sun running NetBSD1.4.2/sparc).
> 
> The following is the output from the internal name server I'm having problems
> using from clients inside the firewall:
> Destination        Gateway            Flags     Refs     Use    Mtu  Interface
> default            192.168.2.1        UGS         2    22621      -  le0
> 127.0.0.1          127.0.0.1          UH          1       87      -  lo0
> 192.168.2          link#1             UC          0        0      -  le0
> 192.168.2.1        00:40:26:3c:56:2c  UHL         1     2274      -  le0
> 192.168.2.149      08:00:20:0f:de:94  UHL         0        4      -  lo0
> 
> > Have you placed 'sysctl -w net.inet.ip.forwarding=1' in your /etc/rc.local?
> 
> The kernel does that function as it was compilied with the GATEWAY option,
> as well as INET, MROUTING and PFIL_HOOKS.

I thought that the GATEWAY option just provided the feature of forwarding,
but did not turn it on, and that it had to be explicitly enabled using
sysctl.  Do you know otherwise?

I have never used aliases, but it looks strange to me that your .149
addresses are on interface lo0.  Isn't lo0 loopback?  Maybe this
observation will cause more confusion than help.

Good night,
The Novice