Subject: ipf ruleset causing named shutout
To: None <netbsd-help@netbsd.org>
From: Keith Parker <kparker4@midsouth.rr.com>
List: netbsd-help
Date: 12/05/2003 16:10:17
--=====================_112429585==.ALT
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi all,
I'm trying to setup DNS and have hit an impass - but not in the setup of
zone files, etc. That's all working great. I've been using
http://www.muine.org/~hoang/dns.html and I checked out DNS and BIND 4th
edition from OReilly's Safari Online Bookshelf. I don't know if any of you
have ever used Safari, but I'd recommend looking at if you are someone who
needs to read books to ramp up. I've had a subscription for a while, but
OReilly let's you try it for a couple of weeks for free. It's been a nice
way of getting my hands on good docs at an indecent hour. ;) Sometimes I
need something more than a HOW-TO, which is often written from the "Here's
how you make it through the crisis, look elsewhere for details". Anyway,
if you don't want to buy a bunch of books you probably won't need in a
couple of months anyway, it's a great option.
Also, if anyone else is new to these concepts, I really do think the
OReilly book provides a lucid, compact overview of DNS, as well as *very*
detailed explanations for the setup. The title sounds intimidating to a
newbie, but it is very well written and comprehensible by all. So well
written in fact, that I want to read the whole thing.
OK, I'm through... ;-)
My problem seems to lie not with BIND but with my ipf ruleset. I am not
yet familiar enough with ipf to know what I'm doing, but here's as close as
I can get:
Here's my setup:
oak.xtechsolutions.net = 192.168.1.1 = primary and only (for the moment)
nameserver = rtk0
ex0 = NIC to the outside world.
If the complete ipf.conf would help, then I'll send. I just figured since
it was specific to that tiny subset, I'd cut out the fluff.
Before setting up named, I was using my ISP's nameservers. I have a couple
of rules (my ipf.conf was borrowed from nice person on the net) that
explicitly passed in DNS replies from my ISP's nameservers.
pass in on ex0 proto udp from 24.165.200.35 port = 53 to any
pass in on ex0 proto udp from 24.165.200.40 port = 53 to any
When my /etc/resolv.conf listed 24.165.200.35 and 24.165.200.40) as
nameservers, everything was fine.
If I change the /etc/resolv.conf to read nameserver 192.168.1.1 *and* I
leave ipf in place - I'm toast. That much makes sense (at least I think
so), because there's no explicit rule to pass the elsewhere blocked udp
traffic on 53 from my new nameserver.
When I remove the ipf.conf and am no longer filtering packets, I'm pinging
external names all over the place. So my DNS is working (after several
typo corrections).
It seems to me that the solution lies in opening up port 53 for a flow of
traffic from rtk0 (192.168.1.1) to ex0. That's where everything breaks
down, because I don't know what I'm doing. The things I've tried in
igorance haven't worked.
For the heck of it, I tried a naive inversion of the rule to read like this:
pass out on rtk0 proto udp from 192.168.1.1 to any
and then
pass in on eth0 proto udp from 192.168.1.1 to any
Neither of which probably make any sense... ;-(
Based on something I read while looking for an answer, I also tried:
pass in quick proto tcp/udp from 192.168.1.1 to any
pass out quick proto tcp/udp from any to 192.168.1.1
This seems like it should be simple, but I can't seem to get it.
Can anyone see what I can't?
--=====================_112429585==.ALT
Content-Type: text/html; charset="us-ascii"
<html>
<body>
Hi all,<br><br>
I'm trying to setup DNS and have hit an impass - but not in the setup of
zone files, etc. That's all working great. I've been using
<a href="http://www.muine.org/~hoang/dns.html" eudora="autourl">http://www.muine.org/~hoang/dns.html</a>
and I checked out <u>DNS and BIND</u> 4th edition from OReilly's Safari Online Bookshelf. I don't know if any of you have ever used Safari, but I'd recommend looking at if you are someone who needs to read books to ramp up. I've had a subscription for a while, but OReilly let's you try it for a couple of weeks for free. It's been a nice way of getting my hands on good docs at an indecent hour. ;) Sometimes I need something more than a HOW-TO, which is often written from the "Here's how you make it through the crisis, look elsewhere for details". Anyway, if you don't want to buy a bunch of books you probably won't need in a couple of months anyway, it's a great option. <br><br>
Also, if anyone else is new to these concepts, I really do think the OReilly book provides a lucid, compact overview of DNS, as well as *very* detailed explanations for the setup. The title sounds intimidating to a newbie, but it is very well written and comprehensible by all. So well written in fact, that I want to read the whole thing.<br><br>
OK, I'm through... ;-)<br><br>
My problem seems to lie not with BIND but with my ipf ruleset. I am not yet familiar enough with ipf to know what I'm doing, but here's as close as I can get: <br><br>
Here's my setup:<br>
oak.xtechsolutions.net = 192.168.1.1 = primary and only (for the moment) nameserver = rtk0<br>
ex0 = NIC to the outside world.<br><br>
If the complete ipf.conf would help, then I'll send. I just figured since it was specific to that tiny subset, I'd cut out the fluff.<br><br>
Before setting up named, I was using my ISP's nameservers. I have a couple of rules (my ipf.conf was borrowed from nice person on the net) that explicitly passed in DNS replies from my ISP's nameservers.<br><br>
pass in on ex0 proto udp from 24.165.200.35 port = 53 to any<br>
pass in on ex0 proto udp from 24.165.200.40 port = 53 to any<br><br>
When my /etc/resolv.conf listed 24.165.200.35 and 24.165.200.40) as nameservers, everything was fine.<br><br>
If I change the /etc/resolv.conf to read nameserver 192.168.1.1 *and* I leave ipf in place - I'm toast. That much makes sense (at least I think so), because there's no explicit rule to pass the elsewhere blocked udp traffic on 53 from my new nameserver.<br>
<br>
When I remove the ipf.conf and am no longer filtering packets, I'm pinging external names all over the place. So my DNS is working (after several typo corrections).<br><br>
It seems to me that the solution lies in opening up port 53 for a flow of traffic from rtk0 (192.168.1.1) to ex0. That's where everything breaks down, because I don't know what I'm doing. The things I've tried in igorance haven't worked. <br><br>
For the heck of it, I tried a naive inversion of the rule to read like this:<br><br>
pass out on rtk0 proto udp from 192.168.1.1 to any<br><br>
and then <br><br>
pass in on eth0 proto udp from 192.168.1.1 to any<br><br>
Neither of which probably make any sense... ;-(<br><br>
Based on something I read while looking for an answer, I also tried:<br><br>
pass in quick proto tcp/udp from 192.168.1.1 to any<br>
pass out quick proto tcp/udp from any to 192.168.1.1<br><br>
This seems like it should be simple, but I can't seem to get it.<br><br>
Can anyone see what I can't?<br><br>
</body>
</html>
--=====================_112429585==.ALT--