From owner-freebsd-ipfw  Mon May 22 12:17:52 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from hotmail.com (law-f195.hotmail.com [209.185.130.105])
	by hub.freebsd.org (Postfix) with SMTP id ACD5537BB61
	for <freebsd-ipfw@freebsd.org>; Mon, 22 May 2000 12:17:33 -0700 (PDT)
	(envelope-from ronnetron@hotmail.com)
Received: (qmail 61405 invoked by uid 0); 22 May 2000 19:17:33 -0000
Message-ID: <20000522191733.61404.qmail@hotmail.com>
Received: from 63.203.116.218 by www.hotmail.com with HTTP;
	Mon, 22 May 2000 12:17:33 PDT
X-Originating-IP: [63.203.116.218]
From: "Ron Smith" <ronnetron@hotmail.com>
To: freebsd-net@freebsd.org
Cc: freebsd-ipfw@freebsd.org
Subject: Non-existent domain
Date: Mon, 22 May 2000 12:17:33 PDT
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi all,

O.K. gang I need your help on this one. I have a particular problem that I 
can't seem to solve on my own. Here's what's happening:

I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything 
works fine for those on the LAN when browsing HTTP. DNS is also running on 
this machine as primary and I have a name server at the ISP as secondary. 
However, the problem is that when looking for the domain name "crcfx.com" 
out on the web, It's not seen. An error message comes up saying: "A network 
error occurred: Unable to connect to server. The server may be down or 
unreachable." Also, I don't get a proper response, from outside our LAN, 
when doing an 'nslookup stargate.crcfx.com', which has the primary DNS 
running locally. This is preventing us from putting other services on-line, 
such as 'HTTP' and 'SMTP'. I've talked to several sources (including my 
ISP), to no avail. There's lots of confusion all around. I have a suspicion 
my problem may stem from the way my zones are set up, or the firewall rules, 
but I'm not sure. Anyway, here are the details:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ping 127.0.0.1 (loopback)
ping 192.x.x.1 (inside interface)
ping 63.x.x.218 (outside interface)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All show 0% packet loss.

~~~~~~~~~~~~~~~
'rc.conf' says:
~~~~~~~~~~~~~~~

# This file now contains just the overrides from/etc/defaults/rc.conf # 
please make all changes to this file.

# -- sysinstall generated deltas -- #
ifconfig_fxp0="inet 192.x.x.1  netmask 255.255.255.0"
ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
hostname="stargate.crcfx.com"
linux_enable="YES"
moused_enable="YES"
gateway_enable="YES"
defaultrouter="63.x.x.217"
# -- The following deltas were generated by Ron Smith on Apr. 17, 2000
firewall_enable="YES"
firewall_type="simple"
firewall_script="/etc/rc.firewall"
inetd_enable="NO"
sendmail_enable="NO"
dumpdev=/dev/wd0s1b
natd_enable="YES"
natd_interface="pn0"
named_enable="YES"

~~~~~~~~~~~~~~~~~~~
'rc.firewall' says:
~~~~~~~~~~~~~~~~~~~

# set these to your outside interface network and netmask and ip
oif="pn0"
onet="63.x.x.216"
omask="255.255.255.248"
oip="63.x.x.218"

# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.x.x.0"
imask="255.255.255.0"
iip="192.x.x.1"

# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
#$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add 
deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

# Allow ICMP inside only
#$fwcmd add deny icmp from any to any via ${oif}
#$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}

# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established

# Allow setup of incoming email
#$fwcmd add pass tcp from any to ${oip} 25 setup

# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup

# Allow access to our WWW
#$fwcmd add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup

# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
$fwcmd add pass udp from ${inet}:${imask} to any 53

# Allow stuff to 192 net in from the outside, since we're
# checking after NAT does the conversion
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}

# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123

# Everything else is denied as default.

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi

~~~~~~~~~~~~~~~~~~~~~~~
'whois crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~

Whois Server Version 1.1

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net for 
detailed information.

Domain Name: CRCFX.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: www.register.com
Name Server: NS1.PBI.NET
Name Server: STARGATE.CRCFX.COM
Updated Date: 28-apr-200

>>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and 
Registrars.

Access to register.com's WHOIS information is for informational purposes 
only.  Register.com makes this information available
"as is," and does not guarantee its accuracy.  The compilation, repackaging, 
dissemination or other use of register.com's WHOIS information in its 
entirety, or a substantial portion thereof, is expressly prohibited without 
the prior written consent of register.com.  By accessing and using our WHOIS 
information, you agree to these terms.

Organization:
Cinema Research Corp
6860 Lexington Ave
Hollywood, CA 90038
US

Registrar..: Register.com (http://www.register.com)
Domain Name: CRCFX.COM
Created on..............: Fri, Mar 24, 2000
Expires on..............: Sat, Mar 24, 2001
Record last updated on..: Fri, Apr 28, 2000

Administrative Contact:
Smith, Ron  ronnetron@hotmail.com
323-460-4111

Technical Contact, Zone Contact:
Internic, Registrar  internic-free@register.com
212-594-988

Domain servers in listed order:

STARGATE.CRCFX.COM                               63.x.x.218
NS1.PBI.NET                                      206.13.28.11

Register your domain name at http://www.register.com

~~~~~~~~~~~~~~~~~
ifconfig -a says:
~~~~~~~~~~~~~~~~~

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255

pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'netstat -na crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address         Foreign Address      (state)
icmp       0      0 *.*                   *.*
tcp        0      0 *.111                 *.*                  LISTEN
tcp        0      0 127.0.0.1.53          *.*                  LISTEN
tcp        0      0 63.x.x.218.53         *.*                  LISTEN
tcp        0      0 192.x.x.1.53          *.*                  LISTEN
udp        0      0 *.111                 *.*
udp        0      0 *.1024                *.*
udp        0      0 127.0.0.1.53          *.*
udp        0      0 63.x.x.218.53         *.*
udp        0      0 192.x.x.1.53          *.*
udp        0      0 *.514                 *.*

~~~~~~~~~~~~~~~~~~~~~
'db.crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~

; Definition of zone crcfx.com
crcfx.com.      IN      SOA     stargate.crcfx.com. root.crcfx.com. (
                2000042901 ; Serial (date, two digits version of day)
                86400   ; refresh (1 day)
                7200    ; retry (2 hours)
                8640000 ; expire (100 days)
                86400 ) ; minimum (1 day)

; name servers
                IN      NS      stargate.crcfx.com.
                IN      NS      ns1.pbi.net.
                IN      NS      ns2.pbi.net.
stargate        IN      A       63.x.x.218
ns1.pbi.net.    IN      A       206.13.28.11
ns2.pbi.net.    IN      A       206.13.29.11

~~~~~~~~~~~~~~~~~~~~~
'crcfx-reverse' says:
~~~~~~~~~~~~~~~~~~~~~

@     IN     SOA   stargate.crcfx.com.      root.crcfx.com. (
                   2000042901 ; Serial (date, 2 digits version of day)
                   86400   ; refresh (1 day)
                   7200    ; retry (2 hours)
                   8640000 ; expire (100 days)
                   86400 ) ; minimum (1 day)

      IN     NS    stargate.crcfx.com.
      IN     NS    ns1.pbi.net.
      IN     NS    ns2.pbi.net.

218.x.x.63.in-addr.arpa         IN      PTR     stargate.crcfx.com.
11.28.13.206.in-addr.arpa       IN      PTR     ns1.pbi.net.
11.29.13.206.in-addr.arpa       IN      PTR     ns2.pbi.net.

~~~~~~~~~~~~~~~~~~~~~
'localhost.rev' says:
~~~~~~~~~~~~~~~~~~~~~

;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 
peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

@     IN     SOA     stargate.crcfx.com. root.stargate.crcfx.com. (
                     2000042901 ; Serial
                     86400      ; Refresh (1 day)
                     7200       ; Retry (2 hours)
                     8640000    ; Expire (100 days)
                     86400 )    ; Minimum
      IN     NS      stargate.crcfx.com.
1     IN     PTR     localhost.crcfx.com.

~~~~~~~~~~~~~~~~~~~
'resolv.conf' says:
~~~~~~~~~~~~~~~~~~~

domain	crcfx.com
nameserver 127.0.0.1
nameserver 192.x.x.1
nameserver 63.x.x.218
nameserver 206.13.28.11
nameserver 206.13.29.11

~~~~~~~~~~~~~~~~~~
'named.conf' says:
~~~~~~~~~~~~~~~~~~

options {
      directory "/etc/namedb";

        forwarders {
              206.13.28.11;
        };

zone "." {
      type hint;
      file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
      type master;
      file "localhost.rev";
};

zone "crcfx.com" {
      type master;
      file "db.crcfx.com";
};

zone "0.x.192.IN-ADDR.ARPA" {
      type master;
      file "crcfx-reverse";


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,

This is a lot to swallow, but they are all the pertinent files, in regards 
to the problem. I would appreciate any feedback on how to get our local name 
server to do proper zone transfers to our upstream ISP, and to get a proper 
'nslookup stargate.crcfx.com' from outside our LAN ...same thing.

TIA
Ron


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Mon May 22 12:50: 0 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5B89537BB5A; Mon, 22 May 2000 12:49:44 -0700 (PDT)
	(envelope-from matheny@bussert.com)
Received: from localhost (matheny@localhost)
	by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id PAA09142;
	Mon, 22 May 2000 15:19:23 -0500 (EST)
	(envelope-from matheny@bussert.com)
Date: Mon, 22 May 2000 15:19:23 -0500 (EST)
From: Blake Matheny <matheny@bussert.com>
To: Ron Smith <ronnetron@hotmail.com>
Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject: Re: Non-existent domain
In-Reply-To: <20000522191733.61404.qmail@hotmail.com>
Message-ID: <Pine.BSF.4.10.10005221512530.9101-100000@arf.bussert.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I had this problem before, I had to add an A record in dns on the firewall
for the web server. For instance, let's say bussert.com was hosted at
111.111.111.111, I had to add that in the dns records. add teh following
records to be able to browse:
@	IN	A	ipaddressofwebserver
www	IN	A	ipaddressofwebserver
the first line will allow for resolation of crcfx.com, the second line
will allow of resolution of www.crcfx.com. I /think/ that answered your
question, but I was a little unclear, let me know if that helps.
-Blake

Blake Matheny
Bussert Consulting
Network Engineer
(765)423-2100
matheny@bussert.com

On Mon, 22 May 2000, Ron Smith wrote:

> Hi all,
> 
> O.K. gang I need your help on this one. I have a particular problem that I 
> can't seem to solve on my own. Here's what's happening:
> 
> I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything 
> works fine for those on the LAN when browsing HTTP. DNS is also running on 
> this machine as primary and I have a name server at the ISP as secondary. 
> However, the problem is that when looking for the domain name "crcfx.com" 
> out on the web, It's not seen. An error message comes up saying: "A network 
> error occurred: Unable to connect to server. The server may be down or 
> unreachable." Also, I don't get a proper response, from outside our LAN, 
> when doing an 'nslookup stargate.crcfx.com', which has the primary DNS 
> running locally. This is preventing us from putting other services on-line, 
> such as 'HTTP' and 'SMTP'. I've talked to several sources (including my 
> ISP), to no avail. There's lots of confusion all around. I have a suspicion 
> my problem may stem from the way my zones are set up, or the firewall rules, 
> but I'm not sure. Anyway, here are the details:
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ping 127.0.0.1 (loopback)
> ping 192.x.x.1 (inside interface)
> ping 63.x.x.218 (outside interface)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> All show 0% packet loss.
> 
> ~~~~~~~~~~~~~~~
> 'rc.conf' says:
> ~~~~~~~~~~~~~~~
> 
> # This file now contains just the overrides from/etc/defaults/rc.conf # 
> please make all changes to this file.
> 
> # -- sysinstall generated deltas -- #
> ifconfig_fxp0="inet 192.x.x.1  netmask 255.255.255.0"
> ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
> hostname="stargate.crcfx.com"
> linux_enable="YES"
> moused_enable="YES"
> gateway_enable="YES"
> defaultrouter="63.x.x.217"
> # -- The following deltas were generated by Ron Smith on Apr. 17, 2000
> firewall_enable="YES"
> firewall_type="simple"
> firewall_script="/etc/rc.firewall"
> inetd_enable="NO"
> sendmail_enable="NO"
> dumpdev=/dev/wd0s1b
> natd_enable="YES"
> natd_interface="pn0"
> named_enable="YES"
> 
> ~~~~~~~~~~~~~~~~~~~
> 'rc.firewall' says:
> ~~~~~~~~~~~~~~~~~~~
> 
> # set these to your outside interface network and netmask and ip
> oif="pn0"
> onet="63.x.x.216"
> omask="255.255.255.248"
> oip="63.x.x.218"
> 
> # set these to your inside interface network and netmask and ip
> iif="fxp0"
> inet="192.x.x.0"
> imask="255.255.255.0"
> iip="192.x.x.1"
> 
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
> 
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
> #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add 
> deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
> 
> # Allow ICMP inside only
> #$fwcmd add deny icmp from any to any via ${oif}
> #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}
> 
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
> 
> # Allow setup of incoming email
> #$fwcmd add pass tcp from any to ${oip} 25 setup
> 
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
> 
> # Allow access to our WWW
> #$fwcmd add pass tcp from any to ${oip} 80 setup
> 
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
> 
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
> 
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
> $fwcmd add pass udp from ${inet}:${imask} to any 53
> 
> # Allow stuff to 192 net in from the outside, since we're
> # checking after NAT does the conversion
> $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
> $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}
> 
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
> 
> # Everything else is denied as default.
> 
> elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
> $fwcmd ${firewall_type}
> fi
> 
> ~~~~~~~~~~~~~~~~~~~~~~~
> 'whois crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~~~
> 
> Whois Server Version 1.1
> 
> Domain names in the .com, .net, and .org domains can now be registered
> with many different competing registrars. Go to http://www.internic.net for 
> detailed information.
> 
> Domain Name: CRCFX.COM
> Registrar: REGISTER.COM, INC.
> Whois Server: whois.register.com
> Referral URL: www.register.com
> Name Server: NS1.PBI.NET
> Name Server: STARGATE.CRCFX.COM
> Updated Date: 28-apr-200
> 
> >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<
> 
> The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and 
> Registrars.
> 
> Access to register.com's WHOIS information is for informational purposes 
> only.  Register.com makes this information available
> "as is," and does not guarantee its accuracy.  The compilation, repackaging, 
> dissemination or other use of register.com's WHOIS information in its 
> entirety, or a substantial portion thereof, is expressly prohibited without 
> the prior written consent of register.com.  By accessing and using our WHOIS 
> information, you agree to these terms.
> 
> Organization:
> Cinema Research Corp
> 6860 Lexington Ave
> Hollywood, CA 90038
> US
> 
> Registrar..: Register.com (http://www.register.com)
> Domain Name: CRCFX.COM
> Created on..............: Fri, Mar 24, 2000
> Expires on..............: Sat, Mar 24, 2001
> Record last updated on..: Fri, Apr 28, 2000
> 
> Administrative Contact:
> Smith, Ron  ronnetron@hotmail.com
> 323-460-4111
> 
> Technical Contact, Zone Contact:
> Internic, Registrar  internic-free@register.com
> 212-594-988
> 
> Domain servers in listed order:
> 
> STARGATE.CRCFX.COM                               63.x.x.218
> NS1.PBI.NET                                      206.13.28.11
> 
> Register your domain name at http://www.register.com
> 
> ~~~~~~~~~~~~~~~~~
> ifconfig -a says:
> ~~~~~~~~~~~~~~~~~
> 
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255
> 
> pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223
> 
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 'netstat -na crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address         Foreign Address      (state)
> icmp       0      0 *.*                   *.*
> tcp        0      0 *.111                 *.*                  LISTEN
> tcp        0      0 127.0.0.1.53          *.*                  LISTEN
> tcp        0      0 63.x.x.218.53         *.*                  LISTEN
> tcp        0      0 192.x.x.1.53          *.*                  LISTEN
> udp        0      0 *.111                 *.*
> udp        0      0 *.1024                *.*
> udp        0      0 127.0.0.1.53          *.*
> udp        0      0 63.x.x.218.53         *.*
> udp        0      0 192.x.x.1.53          *.*
> udp        0      0 *.514                 *.*
> 
> ~~~~~~~~~~~~~~~~~~~~~
> 'db.crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~
> 
> ; Definition of zone crcfx.com
> crcfx.com.      IN      SOA     stargate.crcfx.com. root.crcfx.com. (
>                 2000042901 ; Serial (date, two digits version of day)
>                 86400   ; refresh (1 day)
>                 7200    ; retry (2 hours)
>                 8640000 ; expire (100 days)
>                 86400 ) ; minimum (1 day)
> 
> ; name servers
>                 IN      NS      stargate.crcfx.com.
>                 IN      NS      ns1.pbi.net.
>                 IN      NS      ns2.pbi.net.
> stargate        IN      A       63.x.x.218
> ns1.pbi.net.    IN      A       206.13.28.11
> ns2.pbi.net.    IN      A       206.13.29.11
> 
> ~~~~~~~~~~~~~~~~~~~~~
> 'crcfx-reverse' says:
> ~~~~~~~~~~~~~~~~~~~~~
> 
> @     IN     SOA   stargate.crcfx.com.      root.crcfx.com. (
>                    2000042901 ; Serial (date, 2 digits version of day)
>                    86400   ; refresh (1 day)
>                    7200    ; retry (2 hours)
>                    8640000 ; expire (100 days)
>                    86400 ) ; minimum (1 day)
> 
>       IN     NS    stargate.crcfx.com.
>       IN     NS    ns1.pbi.net.
>       IN     NS    ns2.pbi.net.
> 
> 218.x.x.63.in-addr.arpa         IN      PTR     stargate.crcfx.com.
> 11.28.13.206.in-addr.arpa       IN      PTR     ns1.pbi.net.
> 11.29.13.206.in-addr.arpa       IN      PTR     ns2.pbi.net.
> 
> ~~~~~~~~~~~~~~~~~~~~~
> 'localhost.rev' says:
> ~~~~~~~~~~~~~~~~~~~~~
> 
> ;	From: @(#)localhost.rev	5.1 (Berkeley) 6/30/90
> ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 
> peter Exp $
> ;
> ; This file is automatically edited by the `make-localhost' script in
> ; the /etc/namedb directory.
> ;
> 
> @     IN     SOA     stargate.crcfx.com. root.stargate.crcfx.com. (
>                      2000042901 ; Serial
>                      86400      ; Refresh (1 day)
>                      7200       ; Retry (2 hours)
>                      8640000    ; Expire (100 days)
>                      86400 )    ; Minimum
>       IN     NS      stargate.crcfx.com.
> 1     IN     PTR     localhost.crcfx.com.
> 
> ~~~~~~~~~~~~~~~~~~~
> 'resolv.conf' says:
> ~~~~~~~~~~~~~~~~~~~
> 
> domain	crcfx.com
> nameserver 127.0.0.1
> nameserver 192.x.x.1
> nameserver 63.x.x.218
> nameserver 206.13.28.11
> nameserver 206.13.29.11
> 
> ~~~~~~~~~~~~~~~~~~
> 'named.conf' says:
> ~~~~~~~~~~~~~~~~~~
> 
> options {
>       directory "/etc/namedb";
> 
>         forwarders {
>               206.13.28.11;
>         };
> 
> zone "." {
>       type hint;
>       file "named.root";
> };
> 
> zone "0.0.127.IN-ADDR.ARPA" {
>       type master;
>       file "localhost.rev";
> };
> 
> zone "crcfx.com" {
>       type master;
>       file "db.crcfx.com";
> };
> 
> zone "0.x.192.IN-ADDR.ARPA" {
>       type master;
>       file "crcfx-reverse";
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,
> 
> This is a lot to swallow, but they are all the pertinent files, in regards 
> to the problem. I would appreciate any feedback on how to get our local name 
> server to do proper zone transfers to our upstream ISP, and to get a proper 
> 'nslookup stargate.crcfx.com' from outside our LAN ...same thing.
> 
> TIA
> Ron
> 
> 
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Tue May 23  5:33:44 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 007F537B9B6; Tue, 23 May 2000 05:33:15 -0700 (PDT)
	(envelope-from mikel@ocsny.com)
Received: from ocsny.com (thoth.upan.org [204.107.76.16])
	by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id IAA89254;
	Tue, 23 May 2000 08:31:02 -0400 (EDT)
Message-ID: <392A7B0B.ADB515FD@ocsny.com>
Date: Tue, 23 May 2000 08:35:23 -0400
From: Mikel <mikel@ocsny.com>
Organization: Optimized Computer Solutions, Inc.
X-Mailer: Mozilla 4.73 [en] (Win98; U)
X-Accept-Language: en,it
MIME-Version: 1.0
To: Ron Smith <ronnetron@hotmail.com>
Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject: Re: Non-existent domain
References: <20000522191733.61404.qmail@hotmail.com>
Content-Type: multipart/mixed;
 boundary="------------C455D02C0A2C666CF8F47901"
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

This is a multi-part message in MIME format.
--------------C455D02C0A2C666CF8F47901
Content-Type: multipart/alternative;
 boundary="------------AA2BA8898E99FD0E9F3CBCFE"


--------------AA2BA8898E99FD0E9F3CBCFE
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Uh Ron, check your firewall rules....I've taken the liberty in highlighting
those that I feel are suspect....

--
Cheers,
Mikel
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| Optimized Computer Solutions, Inc        http://www.ocsny.com
| 39 W14th Street, Suite 203                   212 727 2238  x132
| New York, NY 10011
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+

Ron Smith wrote:

> Hi all,
>
> O.K. gang I need your help on this one. I have a particular problem that I
> can't seem to solve on my own. Here's what's happening:
>
> I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything
> works fine for those on the LAN when browsing HTTP. DNS is also running on
> this machine as primary and I have a name server at the ISP as secondary.
> However, the problem is that when looking for the domain name "crcfx.com"
> out on the web, It's not seen. An error message comes up saying: "A network
> error occurred: Unable to connect to server. The server may be down or
> unreachable." Also, I don't get a proper response, from outside our LAN,
> when doing an 'nslookup stargate.crcfx.com', which has the primary DNS
> running locally. This is preventing us from putting other services on-line,
> such as 'HTTP' and 'SMTP'. I've talked to several sources (including my
> ISP), to no avail. There's lots of confusion all around. I have a suspicion
> my problem may stem from the way my zones are set up, or the firewall rules,
> but I'm not sure. Anyway, here are the details:
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ping 127.0.0.1 (loopback)
> ping 192.x.x.1 (inside interface)
> ping 63.x.x.218 (outside interface)
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> All show 0% packet loss.
>
> ~~~~~~~~~~~~~~~
> 'rc.conf' says:
> ~~~~~~~~~~~~~~~
>
> # This file now contains just the overrides from/etc/defaults/rc.conf #
> please make all changes to this file.
>
> # -- sysinstall generated deltas -- #
> ifconfig_fxp0="inet 192.x.x.1  netmask 255.255.255.0"
> ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
> hostname="stargate.crcfx.com"
> linux_enable="YES"
> moused_enable="YES"
> gateway_enable="YES"
> defaultrouter="63.x.x.217"
> # -- The following deltas were generated by Ron Smith on Apr. 17, 2000
> firewall_enable="YES"
> firewall_type="simple"
> firewall_script="/etc/rc.firewall"
> inetd_enable="NO"
> sendmail_enable="NO"
> dumpdev=/dev/wd0s1b
> natd_enable="YES"
> natd_interface="pn0"
> named_enable="YES"
>
> ~~~~~~~~~~~~~~~~~~~
> 'rc.firewall' says:
> ~~~~~~~~~~~~~~~~~~~
>
> # set these to your outside interface network and netmask and ip
> oif="pn0"
> onet="63.x.x.216"
> omask="255.255.255.248"
> oip="63.x.x.218"
>
> # set these to your inside interface network and netmask and ip
> iif="fxp0"
> inet="192.x.x.0"
> imask="255.255.255.0"
> iip="192.x.x.1"
>
> # Stop spoofing
> $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
> $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
>
> # Stop RFC1918 nets on the outside interface
> $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
> #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add
> deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
> $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
> $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
> $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
>
> # Allow ICMP inside only
> #$fwcmd add deny icmp from any to any via ${oif}
> #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}
>
> # Allow TCP through if setup succeeded
> $fwcmd add pass tcp from any to any established
>
> # Allow setup of incoming email
> #$fwcmd add pass tcp from any to ${oip} 25 setup
>
> # Allow access to our DNS
> $fwcmd add pass tcp from any to ${oip} 53 setup
>
> # Allow access to our WWW
> #$fwcmd add pass tcp from any to ${oip} 80 setup
>
> # Reject&Log all setup of incoming connections from the outside
> $fwcmd add deny log tcp from any to any in via ${oif} setup
>
> # Allow setup of any other TCP connection
> $fwcmd add pass tcp from any to any setup
>
> # Allow DNS queries out in the world
> $fwcmd add pass udp from any 53 to ${oip}
> $fwcmd add pass udp from ${oip} to any 53
> $fwcmd add pass udp from ${inet}:${imask} to any 53
>
> # Allow stuff to 192 net in from the outside, since we're
> # checking after NAT does the conversion
> $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
> $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}
>
> # Allow NTP queries out in the world
> $fwcmd add pass udp from any 123 to ${oip}
> $fwcmd add pass udp from ${oip} to any 123
>
> # Everything else is denied as default.
>
> elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
> $fwcmd ${firewall_type}
> fi
>
> ~~~~~~~~~~~~~~~~~~~~~~~
> 'whois crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~~~
>
> Whois Server Version 1.1
>
> Domain names in the .com, .net, and .org domains can now be registered
> with many different competing registrars. Go to http://www.internic.net for
> detailed information.
>
> Domain Name: CRCFX.COM
> Registrar: REGISTER.COM, INC.
> Whois Server: whois.register.com
> Referral URL: www.register.com
> Name Server: NS1.PBI.NET
> Name Server: STARGATE.CRCFX.COM
> Updated Date: 28-apr-200
>
> >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<
>
> The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
> Registrars.
>
> Access to register.com's WHOIS information is for informational purposes
> only.  Register.com makes this information available
> "as is," and does not guarantee its accuracy.  The compilation, repackaging,
> dissemination or other use of register.com's WHOIS information in its
> entirety, or a substantial portion thereof, is expressly prohibited without
> the prior written consent of register.com.  By accessing and using our WHOIS
> information, you agree to these terms.
>
> Organization:
> Cinema Research Corp
> 6860 Lexington Ave
> Hollywood, CA 90038
> US
>
> Registrar..: Register.com (http://www.register.com)
> Domain Name: CRCFX.COM
> Created on..............: Fri, Mar 24, 2000
> Expires on..............: Sat, Mar 24, 2001
> Record last updated on..: Fri, Apr 28, 2000
>
> Administrative Contact:
> Smith, Ron  ronnetron@hotmail.com
> 323-460-4111
>
> Technical Contact, Zone Contact:
> Internic, Registrar  internic-free@register.com
> 212-594-988
>
> Domain servers in listed order:
>
> STARGATE.CRCFX.COM                               63.x.x.218
> NS1.PBI.NET                                      206.13.28.11
>
> Register your domain name at http://www.register.com
>
> ~~~~~~~~~~~~~~~~~
> ifconfig -a says:
> ~~~~~~~~~~~~~~~~~
>
> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255
>
> pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223
>
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
> inet 127.0.0.1 netmask 0xff000000
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 'netstat -na crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address         Foreign Address      (state)
> icmp       0      0 *.*                   *.*
> tcp        0      0 *.111                 *.*                  LISTEN
> tcp        0      0 127.0.0.1.53          *.*                  LISTEN
> tcp        0      0 63.x.x.218.53         *.*                  LISTEN
> tcp        0      0 192.x.x.1.53          *.*                  LISTEN
> udp        0      0 *.111                 *.*
> udp        0      0 *.1024                *.*
> udp        0      0 127.0.0.1.53          *.*
> udp        0      0 63.x.x.218.53         *.*
> udp        0      0 192.x.x.1.53          *.*
> udp        0      0 *.514                 *.*
>
> ~~~~~~~~~~~~~~~~~~~~~
> 'db.crcfx.com' says:
> ~~~~~~~~~~~~~~~~~~~~~
>
> ; Definition of zone crcfx.com
> crcfx.com.      IN      SOA     stargate.crcfx.com. root.crcfx.com. (
>                 2000042901 ; Serial (date, two digits version of day)
>                 86400   ; refresh (1 day)
>                 7200    ; retry (2 hours)
>                 8640000 ; expire (100 days)
>                 86400 ) ; minimum (1 day)
>
> ; name servers
>                 IN      NS      stargate.crcfx.com.
>                 IN      NS      ns1.pbi.net.
>                 IN      NS      ns2.pbi.net.
> stargate        IN      A       63.x.x.218
> ns1.pbi.net.    IN      A       206.13.28.11
> ns2.pbi.net.    IN      A       206.13.29.11
>
> ~~~~~~~~~~~~~~~~~~~~~
> 'crcfx-reverse' says:
> ~~~~~~~~~~~~~~~~~~~~~
>
> @     IN     SOA   stargate.crcfx.com.      root.crcfx.com. (
>                    2000042901 ; Serial (date, 2 digits version of day)
>                    86400   ; refresh (1 day)
>                    7200    ; retry (2 hours)
>                    8640000 ; expire (100 days)
>                    86400 ) ; minimum (1 day)
>
>       IN     NS    stargate.crcfx.com.
>       IN     NS    ns1.pbi.net.
>       IN     NS    ns2.pbi.net.
>
> 218.x.x.63.in-addr.arpa         IN      PTR     stargate.crcfx.com.
> 11.28.13.206.in-addr.arpa       IN      PTR     ns1.pbi.net.
> 11.29.13.206.in-addr.arpa       IN      PTR     ns2.pbi.net.
>
> ~~~~~~~~~~~~~~~~~~~~~
> 'localhost.rev' says:
> ~~~~~~~~~~~~~~~~~~~~~
>
> ;       From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
> ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29
> peter Exp $
> ;
> ; This file is automatically edited by the `make-localhost' script in
> ; the /etc/namedb directory.
> ;
>
> @     IN     SOA     stargate.crcfx.com. root.stargate.crcfx.com. (
>                      2000042901 ; Serial
>                      86400      ; Refresh (1 day)
>                      7200       ; Retry (2 hours)
>                      8640000    ; Expire (100 days)
>                      86400 )    ; Minimum
>       IN     NS      stargate.crcfx.com.
> 1     IN     PTR     localhost.crcfx.com.
>
> ~~~~~~~~~~~~~~~~~~~
> 'resolv.conf' says:
> ~~~~~~~~~~~~~~~~~~~
>
> domain  crcfx.com
> nameserver 127.0.0.1
> nameserver 192.x.x.1
> nameserver 63.x.x.218
> nameserver 206.13.28.11
> nameserver 206.13.29.11
>
> ~~~~~~~~~~~~~~~~~~
> 'named.conf' says:
> ~~~~~~~~~~~~~~~~~~
>
> options {
>       directory "/etc/namedb";
>
>         forwarders {
>               206.13.28.11;
>         };
>
> zone "." {
>       type hint;
>       file "named.root";
> };
>
> zone "0.0.127.IN-ADDR.ARPA" {
>       type master;
>       file "localhost.rev";
> };
>
> zone "crcfx.com" {
>       type master;
>       file "db.crcfx.com";
> };
>
> zone "0.x.192.IN-ADDR.ARPA" {
>       type master;
>       file "crcfx-reverse";
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,
>
> This is a lot to swallow, but they are all the pertinent files, in regards
> to the problem. I would appreciate any feedback on how to get our local name
> server to do proper zone transfers to our upstream ISP, and to get a proper
> 'nslookup stargate.crcfx.com' from outside our LAN ...same thing.
>
> TIA
> Ron
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message





--------------AA2BA8898E99FD0E9F3CBCFE
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Uh Ron, check your firewall rules....I've taken the liberty in <b><font color="#990000">highlighting</font></b>
those that I feel are suspect....
<p>--
<br>Cheers,
<br>Mikel
<br>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
<br>| Optimized Computer Solutions, Inc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<A HREF="http://www.ocsny.com">http://www.ocsny.com</A>
<br>| 39 W14th Street, Suite 203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
212 727 2238&nbsp; x132
<br>| New York, NY 10011
<br>+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
<p>Ron Smith wrote:
<blockquote TYPE=CITE>Hi all,
<p>O.K. gang I need your help on this one. I have a particular problem
that I
<br>can't seem to solve on my own. Here's what's happening:
<p>I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything
<br>works fine for those on the LAN when browsing HTTP. DNS is also running
on
<br>this machine as primary and I have a name server at the ISP as secondary.
<br>However, the problem is that when looking for the domain name "crcfx.com"
<br>out on the web, It's not seen. An error message comes up saying: "A
network
<br>error occurred: Unable to connect to server. The server may be down
or
<br>unreachable." Also, I don't get a proper response, from outside our
LAN,
<br>when doing an 'nslookup stargate.crcfx.com', which has the primary
DNS
<br>running locally. This is preventing us from putting other services
on-line,
<br>such as 'HTTP' and 'SMTP'. I've talked to several sources (including
my
<br>ISP), to no avail. There's lots of confusion all around. I have a suspicion
<br>my problem may stem from the way my zones are set up, or the firewall
rules,
<br>but I'm not sure. Anyway, here are the details:
<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<br>ping 127.0.0.1 (loopback)
<br>ping 192.x.x.1 (inside interface)
<br>ping 63.x.x.218 (outside interface)
<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<p>All show 0% packet loss.
<p>~~~~~~~~~~~~~~~
<br>'rc.conf' says:
<br>~~~~~~~~~~~~~~~
<p># This file now contains just the overrides from/etc/defaults/rc.conf
#
<br>please make all changes to this file.
<p># -- sysinstall generated deltas -- #
<br>ifconfig_fxp0="inet 192.x.x.1&nbsp; netmask 255.255.255.0"
<br>ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
<br>hostname="stargate.crcfx.com"
<br>linux_enable="YES"
<br>moused_enable="YES"
<br>gateway_enable="YES"
<br>defaultrouter="63.x.x.217"
<br># -- The following deltas were generated by Ron Smith on Apr. 17, 2000
<br>firewall_enable="YES"
<br>firewall_type="simple"
<br>firewall_script="/etc/rc.firewall"
<br>inetd_enable="NO"
<br>sendmail_enable="NO"
<br>dumpdev=/dev/wd0s1b
<br>natd_enable="YES"
<br>natd_interface="pn0"
<br>named_enable="YES"
<p>~~~~~~~~~~~~~~~~~~~
<br>'rc.firewall' says:
<br>~~~~~~~~~~~~~~~~~~~
<p># set these to your outside interface network and netmask and ip
<br>oif="pn0"
<br>onet="63.x.x.216"
<br>omask="255.255.255.248"
<br>oip="63.x.x.218"
<p># set these to your inside interface network and netmask and ip
<br>iif="fxp0"
<br>inet="192.x.x.0"
<br>imask="255.255.255.0"
<br>iip="192.x.x.1"
<p># Stop spoofing
<br>$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
<br>$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
<p># Stop RFC1918 nets on the outside interface
<br>$fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
<br>#$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd
add
<br>deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
<br>$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
<br>$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
<br>$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}
<p># Allow ICMP inside only
<br>#$fwcmd add deny icmp from any to any via ${oif}
<br>#$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via
${iif}
<p># Allow TCP through if setup succeeded
<br>$fwcmd add pass tcp from any to any established<b><font color="#990000"></font></b>
<p><b><font color="#990000"># Allow setup of incoming email</font></b>
<br><b><font color="#990000">#$fwcmd add pass tcp from any to ${oip} 25
setup</font></b><b><font color="#990000"></font></b>
<p># Allow access to our DNS
<br>$fwcmd add pass tcp from any to ${oip} 53 setup<b><font color="#990000"></font></b>
<p><b><font color="#990000"># Allow access to our WWW</font></b>
<br><b><font color="#990000">#$fwcmd add pass tcp from any to ${oip} 80
setup</font></b>
<p># Reject&amp;Log all setup of incoming connections from the outside
<br>$fwcmd add deny log tcp from any to any in via ${oif} setup
<p># Allow setup of any other TCP connection
<br>$fwcmd add pass tcp from any to any setup
<p># Allow DNS queries out in the world
<br>$fwcmd add pass udp from any 53 to ${oip}
<br>$fwcmd add pass udp from ${oip} to any 53
<br>$fwcmd add pass udp from ${inet}:${imask} to any 53
<p># Allow stuff to 192 net in from the outside, since we're
<br># checking after NAT does the conversion
<br>$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
<br>$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}
<p># Allow NTP queries out in the world
<br>$fwcmd add pass udp from any 123 to ${oip}
<br>$fwcmd add pass udp from ${oip} to any 123
<p># Everything else is denied as default.
<p>elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
<br>$fwcmd ${firewall_type}
<br>fi
<p>~~~~~~~~~~~~~~~~~~~~~~~
<br>'whois crcfx.com' says:
<br>~~~~~~~~~~~~~~~~~~~~~~~
<p>Whois Server Version 1.1
<p>Domain names in the .com, .net, and .org domains can now be registered
<br>with many different competing registrars. Go to <a href="http://www.internic.net">http://www.internic.net</a>
for
<br>detailed information.
<p>Domain Name: CRCFX.COM
<br>Registrar: REGISTER.COM, INC.
<br>Whois Server: whois.register.com
<br>Referral URL: www.register.com
<br>Name Server: NS1.PBI.NET
<br>Name Server: STARGATE.CRCFX.COM
<br>Updated Date: 28-apr-200
<p>>>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT &lt;&lt;&lt;
<p>The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
<br>Registrars.
<p>Access to register.com's WHOIS information is for informational purposes
<br>only.&nbsp; Register.com makes this information available
<br>"as is," and does not guarantee its accuracy.&nbsp; The compilation,
repackaging,
<br>dissemination or other use of register.com's WHOIS information in its
<br>entirety, or a substantial portion thereof, is expressly prohibited
without
<br>the prior written consent of register.com.&nbsp; By accessing and using
our WHOIS
<br>information, you agree to these terms.
<p>Organization:
<br>Cinema Research Corp
<br>6860 Lexington Ave
<br>Hollywood, CA 90038
<br>US
<p>Registrar..: Register.com (<a href="http://www.register.com">http://www.register.com</a>)
<br>Domain Name: CRCFX.COM
<br>Created on..............: Fri, Mar 24, 2000
<br>Expires on..............: Sat, Mar 24, 2001
<br>Record last updated on..: Fri, Apr 28, 2000
<p>Administrative Contact:
<br>Smith, Ron&nbsp; ronnetron@hotmail.com
<br>323-460-4111
<p>Technical Contact, Zone Contact:
<br>Internic, Registrar&nbsp; internic-free@register.com
<br>212-594-988
<p>Domain servers in listed order:
<p>STARGATE.CRCFX.COM&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
63.x.x.218
<br>NS1.PBI.NET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
206.13.28.11
<p>Register your domain name at <a href="http://www.register.com">http://www.register.com</a>
<p>~~~~~~~~~~~~~~~~~
<br>ifconfig -a says:
<br>~~~~~~~~~~~~~~~~~
<p>fxp0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<br>inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255
<p>pn0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
<br>inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223
<p>lo0: flags=8049&lt;UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
<br>inet 127.0.0.1 netmask 0xff000000
<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<br>'netstat -na crcfx.com' says:
<br>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<p>Active Internet connections (including servers)
<br>Proto Recv-Q Send-Q Local Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Foreign Address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (state)
<br>icmp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 *.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*.*
<br>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 *.111&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
LISTEN
<br>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 127.0.0.1.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
LISTEN
<br>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 63.x.x.218.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
LISTEN
<br>tcp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 192.x.x.1.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
LISTEN
<br>udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 *.111&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*.*
<br>udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 *.1024&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*.*
<br>udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 127.0.0.1.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*
<br>udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 63.x.x.218.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*
<br>udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 192.x.x.1.53&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*
<br>udp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0 *.514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*.*
<p>~~~~~~~~~~~~~~~~~~~~~
<br>'db.crcfx.com' says:
<br>~~~~~~~~~~~~~~~~~~~~~
<p>; Definition of zone crcfx.com
<br>crcfx.com.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
SOA&nbsp;&nbsp;&nbsp;&nbsp; stargate.crcfx.com. root.crcfx.com. (
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2000042901 ; Serial (date, two digits version of day)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
86400&nbsp;&nbsp; ; refresh (1 day)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7200&nbsp;&nbsp;&nbsp; ; retry (2 hours)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
8640000 ; expire (100 days)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
86400 ) ; minimum (1 day)
<p>; name servers
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; stargate.crcfx.com.
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ns1.pbi.net.
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ns2.pbi.net.
<br>stargate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 63.x.x.218
<br>ns1.pbi.net.&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
206.13.28.11
<br>ns2.pbi.net.&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
206.13.29.11
<p>~~~~~~~~~~~~~~~~~~~~~
<br>'crcfx-reverse' says:
<br>~~~~~~~~~~~~~~~~~~~~~
<p>@&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; SOA&nbsp;&nbsp;
stargate.crcfx.com.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; root.crcfx.com. (
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2000042901 ; Serial (date, 2 digits version of day)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
86400&nbsp;&nbsp; ; refresh (1 day)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7200&nbsp;&nbsp;&nbsp; ; retry (2 hours)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
8640000 ; expire (100 days)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
86400 ) ; minimum (1 day)
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;
stargate.crcfx.com.
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;
ns1.pbi.net.
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;
ns2.pbi.net.
<p>218.x.x.63.in-addr.arpa&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PTR&nbsp;&nbsp;&nbsp;&nbsp; stargate.crcfx.com.
<br>11.28.13.206.in-addr.arpa&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PTR&nbsp;&nbsp;&nbsp;&nbsp; ns1.pbi.net.
<br>11.29.13.206.in-addr.arpa&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
PTR&nbsp;&nbsp;&nbsp;&nbsp; ns2.pbi.net.
<p>~~~~~~~~~~~~~~~~~~~~~
<br>'localhost.rev' says:
<br>~~~~~~~~~~~~~~~~~~~~~
<p>;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; From: @(#)localhost.rev 5.1 (Berkeley)
6/30/90
<br>; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29
14:19:29
<br>peter Exp $
<br>;
<br>; This file is automatically edited by the `make-localhost' script
in
<br>; the /etc/namedb directory.
<br>;
<p>@&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; SOA&nbsp;&nbsp;&nbsp;&nbsp;
stargate.crcfx.com. root.stargate.crcfx.com. (
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
2000042901 ; Serial
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
86400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; Refresh (1 day)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
7200&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ; Retry (2 hours)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
8640000&nbsp;&nbsp;&nbsp; ; Expire (100 days)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
86400 )&nbsp;&nbsp;&nbsp; ; Minimum
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; NS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
stargate.crcfx.com.
<br>1&nbsp;&nbsp;&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; PTR&nbsp;&nbsp;&nbsp;&nbsp;
localhost.crcfx.com.
<p>~~~~~~~~~~~~~~~~~~~
<br>'resolv.conf' says:
<br>~~~~~~~~~~~~~~~~~~~
<p>domain&nbsp; crcfx.com
<br>nameserver 127.0.0.1
<br>nameserver 192.x.x.1
<br>nameserver 63.x.x.218
<br>nameserver 206.13.28.11
<br>nameserver 206.13.29.11
<p>~~~~~~~~~~~~~~~~~~
<br>'named.conf' says:
<br>~~~~~~~~~~~~~~~~~~
<p>options {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; directory "/etc/namedb";
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; forwarders {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
206.13.28.11;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; };
<p>zone "." {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type hint;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "named.root";
<br>};
<p>zone "0.0.127.IN-ADDR.ARPA" {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type master;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "localhost.rev";
<br>};
<p>zone "crcfx.com" {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type master;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "db.crcfx.com";
<br>};
<p>zone "0.x.192.IN-ADDR.ARPA" {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type master;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; file "crcfx-reverse";
<p>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,
<p>This is a lot to swallow, but they are all the pertinent files, in regards
<br>to the problem. I would appreciate any feedback on how to get our local
name
<br>server to do proper zone transfers to our upstream ISP, and to get
a proper
<br>'nslookup stargate.crcfx.com' from outside our LAN ...same thing.
<p>TIA
<br>Ron
<p>________________________________________________________________________
<br>Get Your Private, Free E-mail from MSN Hotmail at <a href="http://www.hotmail.com">http://www.hotmail.com</a>
<p>To Unsubscribe: send mail to majordomo@FreeBSD.org
<br>with "unsubscribe freebsd-net" in the body of the message</blockquote>

<br>&nbsp;
<br>&nbsp;
<br>&nbsp;</html>

--------------AA2BA8898E99FD0E9F3CBCFE--

--------------C455D02C0A2C666CF8F47901
Content-Type: text/x-vcard; charset=us-ascii;
 name="mikel.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Mikel
Content-Disposition: attachment;
 filename="mikel.vcf"

begin:vcard 
n:King;Mikel
tel;fax:2124638402
tel;home:http://www.upan.org
tel;work:2127272100
x-mozilla-html:TRUE
org:Optimized Computer Solutions
version:2.1
email;internet:mikel@ocsny.com
title:Director of Network Operations & Technology
adr;quoted-printable:;;39 W14th St.=0D=0ASte 203;New York;NY;10011;US
note;quoted-printable:fBSD, PHP, MySql and OCS Rule!!!=0D=0A=0D=0AGoal is to be MS free by the end of 2k.
x-mozilla-cpt:;7312
fn:Mikel King
end:vcard

--------------C455D02C0A2C666CF8F47901--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 16:44:12 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from ch.wks.ch (portls057.worldcom.ch [212.74.155.57])
	by hub.freebsd.org (Postfix) with ESMTP id A725537BD6D
	for <freebsd-ipfw@FreeBSD.ORG>; Wed, 24 May 2000 16:44:01 -0700 (PDT)
	(envelope-from wks@ch.wks.ch)
Received: (from wks@localhost)
	by ch.wks.ch (8.10.1/8.10.1) id e4ONjJt03226
	for freebsd-ipfw@FreeBSD.ORG; Thu, 25 May 2000 01:45:19 +0200 (CEST)
Date: Thu, 25 May 2000 01:45:19 +0200
From: Claudio Eichenberger <wks@wks.ch>
To: freebsd-ipfw@FreeBSD.ORG
Subject: cisco 2600 provokes P:88
Message-ID: <20000525014519.D835@wks.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
X-Operating-System: FreeBSD
Organisation: WKS Working Solutions GmbH
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

A Cisco 2600 connected to a FreeBSD 3.4 box with ipfw provoques in the '$fwcmd add 65534 deny log ip from any to any' line the following message:

	Deny P:88 router_IP 224.0.0.10 in via oif

Do you have any idea what P:88 is ?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 16:59: 7 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4])
	by hub.freebsd.org (Postfix) with ESMTP id 9896A37BD6D
	for <freebsd-ipfw@FreeBSD.ORG>; Wed, 24 May 2000 16:59:05 -0700 (PDT)
	(envelope-from freebsd@gndrsh.dnsmgr.net)
Received: (from freebsd@localhost)
	by gndrsh.dnsmgr.net (8.9.3/8.9.3) id QAA67738;
	Wed, 24 May 2000 16:58:59 -0700 (PDT)
	(envelope-from freebsd)
From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Message-Id: <200005242358.QAA67738@gndrsh.dnsmgr.net>
Subject: Re: cisco 2600 provokes P:88
In-Reply-To: <20000525014519.D835@wks.ch> from Claudio Eichenberger at "May 25, 2000 01:45:19 am"
To: wks@wks.ch (Claudio Eichenberger)
Date: Wed, 24 May 2000 16:58:59 -0700 (PDT)
Cc: freebsd-ipfw@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> A Cisco 2600 connected to a FreeBSD 3.4 box with ipfw provoques in the '$fwcmd add 65534 deny log ip from any to any' line the following message:
> 
> 	Deny P:88 router_IP 224.0.0.10 in via oif
> 
> Do you have any idea what P:88 is ?

That would be Protocol 88, EIGPR.  See /etc/protocols for things printed
P:xx.  Your cisco is running the interior routing protocol EIGPR.


-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 17: 4:56 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210])
	by hub.freebsd.org (Postfix) with ESMTP id 90C1337BD6D
	for <freebsd-ipfw@FreeBSD.ORG>; Wed, 24 May 2000 17:04:49 -0700 (PDT)
	(envelope-from gnb@itga.com.au)
Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20])
	by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA81675;
	Thu, 25 May 2000 10:04:45 +1000 (EST)
	(envelope-from gnb@itga.com.au)
Received: from itga.com.au (lightning.itga.com.au [192.168.71.20])
	by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA25043;
	Thu, 25 May 2000 10:04:45 +1000 (EST)
Message-Id: <200005250004.KAA25043@lightning.itga.com.au>
X-Mailer: exmh version 2.0.1 12/23/97
From: Gregory Bond <gnb@itga.com.au>
To: Claudio Eichenberger <wks@wks.ch>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: cisco 2600 provokes P:88 
In-reply-to: Your message of Thu, 25 May 2000 01:45:19 +0200.
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 25 May 2000 10:04:44 +1000
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> Do you have any idea what P:88 is ?

hellcat$ grep 88 /etc/protocols 
eigrp   88      EIGRP           # Enhanced Interior Routing Protocol (Cisco)
hellcat$ 




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 18:19:45 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from hotmail.com (law-f48.hotmail.com [209.185.130.36])
	by hub.freebsd.org (Postfix) with SMTP id 9A40B37B6F8
	for <freebsd-ipfw@freebsd.org>; Wed, 24 May 2000 18:19:37 -0700 (PDT)
	(envelope-from ronnetron@hotmail.com)
Received: (qmail 90761 invoked by uid 0); 25 May 2000 01:19:36 -0000
Message-ID: <20000525011936.90760.qmail@hotmail.com>
Received: from 63.203.116.218 by www.hotmail.com with HTTP;
	Wed, 24 May 2000 18:19:35 PDT
X-Originating-IP: [63.203.116.218]
From: "Ron Smith" <ronnetron@hotmail.com>
To: freebsd-ipfw@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: sunrpc
Date: Wed, 24 May 2000 18:19:35 PDT
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi all,

I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close 
'sunrpc' on port 111. I can't seem to find anything specific on how to do 
that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet 
Firewalls". 'netstat -na <hostname>' still shows port 111 listening on both 
'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone 
point me in the right direction?

TIA
Ron Smith

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 18:31:39 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0040637B6F8; Wed, 24 May 2000 18:31:30 -0700 (PDT)
	(envelope-from todd@flyingcroc.net)
Received: from localhost (todd@localhost)
	by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id SAA26925;
	Wed, 24 May 2000 18:30:52 -0700 (PDT)
	(envelope-from todd@flyingcroc.net)
X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs
Date: Wed, 24 May 2000 18:30:52 -0700 (PDT)
From: Todd Backman <todd@flyingcroc.net>
X-Sender: todd@security1.noc.flyingcroc.net
To: Ron Smith <ronnetron@hotmail.com>
Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: sunrpc
In-Reply-To: <20000525011936.90760.qmail@hotmail.com>
Message-ID: <Pine.BSF.4.10.10005241830020.26916-100000@security1.noc.flyingcroc.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


"sockstat" will help you out...


On Wed, 24 May 2000, Ron Smith wrote:

> Hi all,
> 
> I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close 
> 'sunrpc' on port 111. I can't seem to find anything specific on how to do 
> that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet 
> Firewalls". 'netstat -na <hostname>' still shows port 111 listening on both 
> 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone 
> point me in the right direction?
> 
> TIA
> Ron Smith
> 
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 18:31:42 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2831737BBBF; Wed, 24 May 2000 18:31:31 -0700 (PDT)
	(envelope-from ahl@austclear.com.au)
Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1])
	by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA29281;
	Thu, 25 May 2000 11:31:28 +1000 (EST)
Received: from tungsten (tungsten [192.168.70.1])
        by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA13772;
        Thu, 25 May 2000 11:31:27 +1000 (EST)
Message-Id: <200005250131.LAA13772@tungsten.austclear.com.au>
X-Mailer: exmh version 2.1.1 10/15/1999
To: "Ron Smith" <ronnetron@hotmail.com>
Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: sunrpc 
In-Reply-To: Your message of "Wed, 24 May 2000 18:19:35 PDT."
             <20000525011936.90760.qmail@hotmail.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 25 May 2000 11:31:27 +1000
From: Tony Landells <ahl@austclear.com.au>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

RPC is actually controlled by the portmapper.

You can disable it (assuming you have no other services that want it)
by setting portmap_enable="NO".

Tony



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Wed May 24 18:33:15 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from usui.sc.newnet.co.uk (usui.sc.newnet.co.uk [212.87.80.10])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0BEC837BC9C; Wed, 24 May 2000 18:33:06 -0700 (PDT)
	(envelope-from peter@newnet.co.uk)
Received: from newnet.co.uk (muktananda.sys.newnet.co.uk [212.87.87.37])
	by usui.sc.newnet.co.uk (8.9.3/8.9.3) with ESMTP id CAA05220;
	Thu, 25 May 2000 02:33:11 +0100 (GMT/BST)
Message-ID: <392C82A9.72A4F673@newnet.co.uk>
Date: Thu, 25 May 2000 02:32:25 +0100
From: Peter Coates <peter@newnet.co.uk>
Organization: South Coast NOC Support Team
X-Mailer: Mozilla 4.7 [en] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Ron Smith <ronnetron@hotmail.com>
Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: sunrpc
References: <20000525011936.90760.qmail@hotmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi Ron,

The following two lines should block traffic to port 111
They should be before any rules which enable traffic.

ipfw add deny tcp from any to any 111
ipfw add deny udp from any to any 111


Regards,
Peter
*********************   http://www.newnet.co.uk
FASTEST ISP in the UK  - 100% availability
*********************         Internet Magazine - hosting tests Dec 1999


Ron Smith wrote:
> 
> Hi all,
> 
> I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close
> 'sunrpc' on port 111. I can't seem to find anything specific on how to do
> that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet
> Firewalls". 'netstat -na <hostname>' still shows port 111 listening on both
> 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone
> point me in the right direction?
> 
> TIA
> Ron Smith
> 
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Thu May 25  8:20:39 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from entropy.tmok.com (entropy.tmok.com [204.17.163.11])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6DA2C37C539; Thu, 25 May 2000 08:20:24 -0700 (PDT)
	(envelope-from wonko@entropy.tmok.com)
Received: (from wonko@localhost)
	by entropy.tmok.com (8.9.3/8.9.3) id LAA59553;
	Thu, 25 May 2000 11:26:25 -0400 (EDT)
From: Brian Hechinger <wonko@users.tmok.com>
Message-Id: <200005251526.LAA59553@entropy.tmok.com>
Subject: question about natd/ipfw
To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
Date: Thu, 25 May 2000 11:26:25 -0400 (EDT)
Reply-To: wonko@entropy.tmok.com
X-Useless-Header: why? because i can.
X-Organization: The Ministry of Knowledge
X-Dreams: an OpenWin that is based on current MIT X11 releases
X-Mailer: ELM [version 2.4ME+ PL43 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

NOTE: sorry for the cross-post, tell me which list is more appropriate and i'll
      drop the other one.

a freebsd user has been helping me with this, but this is out of his realm of
experience.  i am setting up a NAT box/router for my Covad/DCA Net DSL link.

i will have two sets of outside IP addresses, a single IP address that will be
bound to my outside interface which comes from covad, and a /29 block from
DCA Net.  the /29 will be routed through the outside interface into the NAT
box, and from there i want to be able to use them as an "outside NAT pool"
externally they will just look like an average domain, but that i will be able
to redirect as i please internally.

so, my question is: what do i do with the /29?  do i create aliases on my 
outside interface for them all?  do i create aliases on my inside interface 
for them all?  do i bind them to lo0? attatching them to the outside interface
seems wrong to me as well as attatching them to the inside interface since
they should be listened to on either interface, hence my thought to bind them
to the loopback device since i view these things as being "virtual"

ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected traffic?


thanks,

-brian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Thu May 25  9:34:12 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from relay.ultimanet.com (relay.ultimanet.com [205.179.129.1])
	by hub.freebsd.org (Postfix) with ESMTP id 49CB037C970
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 25 May 2000 09:33:53 -0700 (PDT)
	(envelope-from randy@Cloudfactory.ORG)
Received: from Cloudfactory.ORG (cloudfactory.org [205.179.129.18])
	by relay.ultimanet.com (8.9.3/8.9.3) with ESMTP id KAA07940
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 25 May 2000 10:28:23 -0700
Message-Id: <200005251728.KAA07940@relay.ultimanet.com>
To: freebsd-ipfw@FreeBSD.ORG
Subject: Re: question about natd/ipfw 
In-Reply-To: Message from Brian Hechinger <wonko@users.tmok.com> 
   of "Thu, 25 May 2000 11:26:25 EDT." <200005251526.LAA59553@entropy.tmok.com> 
Date: Thu, 25 May 2000 09:35:02 -0700
From: Randy Primeaux <randy@Cloudfactory.ORG>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Did they delegate to you a single IP out of a /24, and a delegated /29 ?

If so, it sounds to me like the delegated the /29 CIDR block to you in
a way that you could connect their DSL bridge to your edge router,
then on the inside of your edge router would like the netblock, and
behind that would be second router running NAT.

DSL <->  static router <-/29-> NAT router <-> private LAN.

modem / cat5 / freebsd0 / hub0 / freebsd1 / hub1 / other hosts

For reference of Variable Length Subnet Table, see rfc1878.


Brian Hechinger writes:
> NOTE: sorry for the cross-post, tell me which list is more appropriate and i'
> ll
>       drop the other one.
> 
> a freebsd user has been helping me with this, but this is out of his realm of
> experience.  i am setting up a NAT box/router for my Covad/DCA Net DSL link.
> 
> i will have two sets of outside IP addresses, a single IP address that will b
> e
> bound to my outside interface which comes from covad, and a /29 block from
> DCA Net.  the /29 will be routed through the outside interface into the NAT
> box, and from there i want to be able to use them as an "outside NAT pool"
> externally they will just look like an average domain, but that i will be abl
> e
> to redirect as i please internally.
> 
> so, my question is: what do i do with the /29?  do i create aliases on my 
> outside interface for them all?  do i create aliases on my inside interface 
> for them all?  do i bind them to lo0? attatching them to the outside interfac
> e
> seems wrong to me as well as attatching them to the inside interface since
> they should be listened to on either interface, hence my thought to bind them
> to the loopback device since i view these things as being "virtual"
> 
> ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected traffi
> c?
> 
> 
> thanks,
> 
> -brian
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

--
Randy Primeaux
randy@cloudfactory.org         http://cloudfactory.org/~randy/
tranze@hyperreal.org		http://hyperreal.org/~tranze/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Thu May 25 11:14:16 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from rapidnet.com (rapidnet.com [205.164.216.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 95DE037B58C; Thu, 25 May 2000 11:14:09 -0700 (PDT)
	(envelope-from nick@rapidnet.com)
Received: from localhost (nick@localhost)
	by rapidnet.com (8.9.3/8.9.3) with ESMTP id MAA81370;
	Thu, 25 May 2000 12:14:03 -0600 (MDT)
Date: Thu, 25 May 2000 12:14:03 -0600 (MDT)
From: Nick Rogness <nick@rapidnet.com>
To: wonko@entropy.tmok.com
Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re: question about natd/ipfw
In-Reply-To: <200005251526.LAA59553@entropy.tmok.com>
Message-ID: <Pine.BSF.4.05.10005251157050.70178-100000@rapidnet.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 25 May 2000, Brian Hechinger wrote:

> i will have two sets of outside IP addresses, a single IP address that will be
> bound to my outside interface which comes from covad, and a /29 block from
> DCA Net.  the /29 will be routed through the outside interface into the NAT
> box, and from there i want to be able to use them as an "outside NAT pool"
> externally they will just look like an average domain, but that i will be able
> to redirect as i please internally.

	They just statically routed a /29 subnet to your outside IP.
	Nothing unusual about that.  Just set natd to handle them.  It is
	not very hard to implement...see below.

> 
> so, my question is: what do i do with the /29?  do i create aliases on my 
> outside interface for them all?  do i create aliases on my inside interface 
> for them all?  do i bind them to lo0? attatching them to the outside interface

	NO.  do not bind them to your interfaces.  NATd will take care of
	all of that for you.  FOr example, if your net looked like this:

					    A         B
	DSL --> (Outside ethernet interface)==FreeBSD==(Inside interface) 

	At point A, setup your interface as the single outside IP that was
	given to you.  At point B, you do nothing, keep your inside IP's
	the way they are.  In ipfw rules:

	  ipfw add 150 divert natd ip from any to any (outside_interface)

	In your nat setup (/etc/natd.conf):
	
	  interface outside_interface
	  port 8668
	  redirect_address inside_ip_A outside_IP_from_/29
	  redirect_address inside_ip_B outside_IP_from_/29
	  redirect_address inside_ip_C outside_IP_from_/29
	  redirect_address inside_ip_D outside_IP_from_/29
	  redirect_address inside_ip_E outside_IP_from_/29
	  redirect_address inside_ip_F outside_IP_from_/29

	Start natd:
	 /sbin/natd -f /etc/natd.conf

	This setup will allow you to shift which outside IP goes to which
	internal IP.  You can use redirect_port if you wish for more
	security.

> seems wrong to me as well as attatching them to the inside interface since
> they should be listened to on either interface, hence my thought to bind them
> to the loopback device since i view these things as being "virtual"
> 

	NO.  DO no binding.  It will not work.

> ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected
> traffic?  

	That is because you must add the natd ipfw rule from above and
	setup nat to handle them.


Nick Rogness
- Speak softly and carry a Gigabit switch.







To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Fri May 26  1: 1:34 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from Inter.barmentlo.net (inter.barmentlo.net [195.38.241.249])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8DF0237B5E4; Fri, 26 May 2000 01:01:27 -0700 (PDT)
	(envelope-from patrick@barmentlo.net)
Received: from mail.barmentlo.net (cable.barmentlo.net [195.38.232.12])
	by Inter.barmentlo.net (8.9.3/8.9.2) with ESMTP id KAA27631;
	Fri, 26 May 2000 10:01:26 +0200 (CEST)
Received: from localhost (pbm@localhost)
	by mail.barmentlo.net (8.10.0/8.9.2) with ESMTP id e4Q81Ql87224;
	Fri, 26 May 2000 10:01:26 +0200 (CEST)
Date: Fri, 26 May 2000 10:01:25 +0200 (CEST)
From: Patrick Barmentlo <patrick@barmentlo.net>
X-Sender: pbm@anthrax.barmentlo.net
To: Ron Smith <ronnetron@hotmail.com>
Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Re: sunrpc
In-Reply-To: <20000525011936.90760.qmail@hotmail.com>
Message-ID: <Pine.BSF.4.21.0005260959560.75432-100000@anthrax.barmentlo.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



Hai,

why not deny  all by default and just allow what you want instead ?
(most be a lot less rules then..;-)

patrick



On Wed, 24 May 2000, Ron Smith wrote:

> Hi all,
> 
> I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close 
> 'sunrpc' on port 111. I can't seem to find anything specific on how to do 
> that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet 
> Firewalls". 'netstat -na <hostname>' still shows port 111 listening on both 
> 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone 
> point me in the right direction?
> 
> TIA
> Ron Smith
> 
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
> 

--
Patrick Barmentlo
patrick@barmentlo.nl - pgp key ID 0x8E372335



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Fri May 26  6:45:37 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from bsdhome.dyndns.org (rdu25-18-195.nc.rr.com [24.25.18.195])
	by hub.freebsd.org (Postfix) with ESMTP id 2506437BC75
	for <freebsd-ipfw@freebsd.org>; Fri, 26 May 2000 06:45:30 -0700 (PDT)
	(envelope-from bsd@bsdhome.com)
Received: from vger.bsdhome.com (vger [192.168.220.2])
	by bsdhome.dyndns.org (8.9.3/8.9.3) with ESMTP id JAA21934
	for <freebsd-ipfw@freebsd.org>; Fri, 26 May 2000 09:47:27 -0400 (EDT)
	(envelope-from bsd@bsdhome.com)
Received: from localhost (bsd@localhost)
	by vger.bsdhome.com (8.9.3/8.9.3) with ESMTP id JAA12347;
	Fri, 26 May 2000 09:45:28 -0400 (EDT)
	(envelope-from bsd@vger.bsdhome.com)
Date: Fri, 26 May 2000 09:45:28 -0400 (EDT)
From: Brian Dean <bsd@bsdhome.com>
To: freebsd-ipfw@freebsd.org
Subject: ipfw log message question
Message-ID: <Pine.BSF.4.21.0005260940220.12326-100000@vger.bsdhome.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

Several of these showed up in my ipfw logs yesterday for the first
time.  Can someone explain what caused this?  The rule number appears
to be '-1'.  What's going on here?  (I've replaced the actual IP
numbers to protect the innocent).  No port numbers were specified with
the addresses.

May 25 17:45:26 smtp /kernel: ipfw: -1 Refuse TCP <remote_ip> <local_ip> in via xl1 Fragment = 184

This is on 4.0-STABLE cvs update'd around May 19.

Thanks,
-Brian



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


From owner-freebsd-ipfw  Fri May 26 16:49:11 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from fw.matchcraft.com (fw.matchcraft.com [207.155.101.2])
	by hub.freebsd.org (Postfix) with ESMTP id A7AFE37B850
	for <freebsd-ipfw@freebsd.org>; Fri, 26 May 2000 16:49:08 -0700 (PDT)
	(envelope-from tony@matchcraft.com)
Received: from mail.matchcraft.com (ns.matchcraft.com [172.16.0.159])
	by fw.matchcraft.com (Postfix) with ESMTP id A618D561C9
	for <freebsd-ipfw@freebsd.org>; Fri, 26 May 2000 16:47:37 -0700 (PDT)
Received: from matchcraft.com (sleestack [172.16.0.231])
	by mail.matchcraft.com (Postfix) with ESMTP id 82F8C2EFA5
	for <freebsd-ipfw@freebsd.org>; Fri, 26 May 2000 16:48:42 -0700 (PDT)
Message-ID: <392F0D73.E15077E1@matchcraft.com>
Date: Fri, 26 May 2000 16:49:07 -0700
From: Tony Hayes <tony@matchcraft.com>
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Subject: IP/Port Forwarding
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hey,

I got one I've been trying to figure out for the last two weeks...
Here's the situations: I have a FreeBSD box running both ipfw and natd.
I need to be able to forward any ssh packets coming in to the external
interface to an interal address at the same port. ie. I want to be able
to ssh from anywhere on the outside and be forwarded to an internal box.

Here's the rule list I'm using:

ipfw add divert natd all from any to any via fxp1
ipfw add allow ip from any to any via lo0
ipfw add deny ip from any to 127.0.0.1
ipfw add allow ip from any to any
ipfw add allow tcp from any to any
ipfw add allow udp from any to any
-Default rule is deny ip from any to any.

natd -p 8668 -n fxp1 -redirect_port tcp 172.16.0.250:22 209.157.63.5:22


This appears to half work. natd only shows incoming traffic destined for
the internal address. I ran natd in verbose mode to make sure the
aliasing was correct (which it was).

I ran a tcpdump on the internal box, and saw the packets coming and
going on port 22. The problem is, the aliasing seems only to be working
in one direction(incoming). None of the outgoing packets go through the
fw.

In the verbose output of natd, it shows  "IN" for the incoming packets
and "OUT" for the outgoing.  I could see the incoming ssh packets and
could verify they are aliased for the correct destination. The problem
was that there were no outgoing packets for ssh. There were other
outgoing packets, but none for ssh.

This seems very odd to me because I could see ssh packets coming in on
the internal box, yet none of the packets are aliased back to the
origional source.

Any help would be greatly appreciated.

Tony



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message