From owner-freebsd-ipfw Mon May 22 12:17:52 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (law-f195.hotmail.com [209.185.130.105]) by hub.freebsd.org (Postfix) with SMTP id ACD5537BB61 for ; Mon, 22 May 2000 12:17:33 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 61405 invoked by uid 0); 22 May 2000 19:17:33 -0000 Message-ID: <20000522191733.61404.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Mon, 22 May 2000 12:17:33 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-net@freebsd.org Cc: freebsd-ipfw@freebsd.org Subject: Non-existent domain Date: Mon, 22 May 2000 12:17:33 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, O.K. gang I need your help on this one. I have a particular problem that I can't seem to solve on my own. Here's what's happening: I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything works fine for those on the LAN when browsing HTTP. DNS is also running on this machine as primary and I have a name server at the ISP as secondary. However, the problem is that when looking for the domain name "crcfx.com" out on the web, It's not seen. An error message comes up saying: "A network error occurred: Unable to connect to server. The server may be down or unreachable." Also, I don't get a proper response, from outside our LAN, when doing an 'nslookup stargate.crcfx.com', which has the primary DNS running locally. This is preventing us from putting other services on-line, such as 'HTTP' and 'SMTP'. I've talked to several sources (including my ISP), to no avail. There's lots of confusion all around. I have a suspicion my problem may stem from the way my zones are set up, or the firewall rules, but I'm not sure. Anyway, here are the details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ping 127.0.0.1 (loopback) ping 192.x.x.1 (inside interface) ping 63.x.x.218 (outside interface) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ All show 0% packet loss. ~~~~~~~~~~~~~~~ 'rc.conf' says: ~~~~~~~~~~~~~~~ # This file now contains just the overrides from/etc/defaults/rc.conf # please make all changes to this file. # -- sysinstall generated deltas -- # ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" hostname="stargate.crcfx.com" linux_enable="YES" moused_enable="YES" gateway_enable="YES" defaultrouter="63.x.x.217" # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 firewall_enable="YES" firewall_type="simple" firewall_script="/etc/rc.firewall" inetd_enable="NO" sendmail_enable="NO" dumpdev=/dev/wd0s1b natd_enable="YES" natd_interface="pn0" named_enable="YES" ~~~~~~~~~~~~~~~~~~~ 'rc.firewall' says: ~~~~~~~~~~~~~~~~~~~ # set these to your outside interface network and netmask and ip oif="pn0" onet="63.x.x.216" omask="255.255.255.248" oip="63.x.x.218" # set these to your inside interface network and netmask and ip iif="fxp0" inet="192.x.x.0" imask="255.255.255.0" iip="192.x.x.1" # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add deny all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} # Allow ICMP inside only #$fwcmd add deny icmp from any to any via ${oif} #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} # Allow TCP through if setup succeeded $fwcmd add pass tcp from any to any established # Allow setup of incoming email #$fwcmd add pass tcp from any to ${oip} 25 setup # Allow access to our DNS $fwcmd add pass tcp from any to ${oip} 53 setup # Allow access to our WWW #$fwcmd add pass tcp from any to ${oip} 80 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup # Allow setup of any other TCP connection $fwcmd add pass tcp from any to any setup # Allow DNS queries out in the world $fwcmd add pass udp from any 53 to ${oip} $fwcmd add pass udp from ${oip} to any 53 $fwcmd add pass udp from ${inet}:${imask} to any 53 # Allow stuff to 192 net in from the outside, since we're # checking after NAT does the conversion $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} # Allow NTP queries out in the world $fwcmd add pass udp from any 123 to ${oip} $fwcmd add pass udp from ${oip} to any 123 # Everything else is denied as default. elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then $fwcmd ${firewall_type} fi ~~~~~~~~~~~~~~~~~~~~~~~ 'whois crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~~~ Whois Server Version 1.1 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CRCFX.COM Registrar: REGISTER.COM, INC. Whois Server: whois.register.com Referral URL: www.register.com Name Server: NS1.PBI.NET Name Server: STARGATE.CRCFX.COM Updated Date: 28-apr-200 >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars. Access to register.com's WHOIS information is for informational purposes only. Register.com makes this information available "as is," and does not guarantee its accuracy. The compilation, repackaging, dissemination or other use of register.com's WHOIS information in its entirety, or a substantial portion thereof, is expressly prohibited without the prior written consent of register.com. By accessing and using our WHOIS information, you agree to these terms. Organization: Cinema Research Corp 6860 Lexington Ave Hollywood, CA 90038 US Registrar..: Register.com (http://www.register.com) Domain Name: CRCFX.COM Created on..............: Fri, Mar 24, 2000 Expires on..............: Sat, Mar 24, 2001 Record last updated on..: Fri, Apr 28, 2000 Administrative Contact: Smith, Ron ronnetron@hotmail.com 323-460-4111 Technical Contact, Zone Contact: Internic, Registrar internic-free@register.com 212-594-988 Domain servers in listed order: STARGATE.CRCFX.COM 63.x.x.218 NS1.PBI.NET 206.13.28.11 Register your domain name at http://www.register.com ~~~~~~~~~~~~~~~~~ ifconfig -a says: ~~~~~~~~~~~~~~~~~ fxp0: flags=8843 mtu 1500 inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 pn0: flags=8843 mtu 1500 inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'netstat -na crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) icmp 0 0 *.* *.* tcp 0 0 *.111 *.* LISTEN tcp 0 0 127.0.0.1.53 *.* LISTEN tcp 0 0 63.x.x.218.53 *.* LISTEN tcp 0 0 192.x.x.1.53 *.* LISTEN udp 0 0 *.111 *.* udp 0 0 *.1024 *.* udp 0 0 127.0.0.1.53 *.* udp 0 0 63.x.x.218.53 *.* udp 0 0 192.x.x.1.53 *.* udp 0 0 *.514 *.* ~~~~~~~~~~~~~~~~~~~~~ 'db.crcfx.com' says: ~~~~~~~~~~~~~~~~~~~~~ ; Definition of zone crcfx.com crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( 2000042901 ; Serial (date, two digits version of day) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400 ) ; minimum (1 day) ; name servers IN NS stargate.crcfx.com. IN NS ns1.pbi.net. IN NS ns2.pbi.net. stargate IN A 63.x.x.218 ns1.pbi.net. IN A 206.13.28.11 ns2.pbi.net. IN A 206.13.29.11 ~~~~~~~~~~~~~~~~~~~~~ 'crcfx-reverse' says: ~~~~~~~~~~~~~~~~~~~~~ @ IN SOA stargate.crcfx.com. root.crcfx.com. ( 2000042901 ; Serial (date, 2 digits version of day) 86400 ; refresh (1 day) 7200 ; retry (2 hours) 8640000 ; expire (100 days) 86400 ) ; minimum (1 day) IN NS stargate.crcfx.com. IN NS ns1.pbi.net. IN NS ns2.pbi.net. 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. ~~~~~~~~~~~~~~~~~~~~~ 'localhost.rev' says: ~~~~~~~~~~~~~~~~~~~~~ ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 peter Exp $ ; ; This file is automatically edited by the `make-localhost' script in ; the /etc/namedb directory. ; @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( 2000042901 ; Serial 86400 ; Refresh (1 day) 7200 ; Retry (2 hours) 8640000 ; Expire (100 days) 86400 ) ; Minimum IN NS stargate.crcfx.com. 1 IN PTR localhost.crcfx.com. ~~~~~~~~~~~~~~~~~~~ 'resolv.conf' says: ~~~~~~~~~~~~~~~~~~~ domain crcfx.com nameserver 127.0.0.1 nameserver 192.x.x.1 nameserver 63.x.x.218 nameserver 206.13.28.11 nameserver 206.13.29.11 ~~~~~~~~~~~~~~~~~~ 'named.conf' says: ~~~~~~~~~~~~~~~~~~ options { directory "/etc/namedb"; forwarders { 206.13.28.11; }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; zone "crcfx.com" { type master; file "db.crcfx.com"; }; zone "0.x.192.IN-ADDR.ARPA" { type master; file "crcfx-reverse"; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, This is a lot to swallow, but they are all the pertinent files, in regards to the problem. I would appreciate any feedback on how to get our local name server to do proper zone transfers to our upstream ISP, and to get a proper 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. TIA Ron ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 22 12:50: 0 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id 5B89537BB5A; Mon, 22 May 2000 12:49:44 -0700 (PDT) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id PAA09142; Mon, 22 May 2000 15:19:23 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 22 May 2000 15:19:23 -0500 (EST) From: Blake Matheny To: Ron Smith Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Non-existent domain In-Reply-To: <20000522191733.61404.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I had this problem before, I had to add an A record in dns on the firewall for the web server. For instance, let's say bussert.com was hosted at 111.111.111.111, I had to add that in the dns records. add teh following records to be able to browse: @ IN A ipaddressofwebserver www IN A ipaddressofwebserver the first line will allow for resolation of crcfx.com, the second line will allow of resolution of www.crcfx.com. I /think/ that answered your question, but I was a little unclear, let me know if that helps. -Blake Blake Matheny Bussert Consulting Network Engineer (765)423-2100 matheny@bussert.com On Mon, 22 May 2000, Ron Smith wrote: > Hi all, > > O.K. gang I need your help on this one. I have a particular problem that I > can't seem to solve on my own. Here's what's happening: > > I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything > works fine for those on the LAN when browsing HTTP. DNS is also running on > this machine as primary and I have a name server at the ISP as secondary. > However, the problem is that when looking for the domain name "crcfx.com" > out on the web, It's not seen. An error message comes up saying: "A network > error occurred: Unable to connect to server. The server may be down or > unreachable." Also, I don't get a proper response, from outside our LAN, > when doing an 'nslookup stargate.crcfx.com', which has the primary DNS > running locally. This is preventing us from putting other services on-line, > such as 'HTTP' and 'SMTP'. I've talked to several sources (including my > ISP), to no avail. There's lots of confusion all around. I have a suspicion > my problem may stem from the way my zones are set up, or the firewall rules, > but I'm not sure. Anyway, here are the details: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ping 127.0.0.1 (loopback) > ping 192.x.x.1 (inside interface) > ping 63.x.x.218 (outside interface) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > All show 0% packet loss. > > ~~~~~~~~~~~~~~~ > 'rc.conf' says: > ~~~~~~~~~~~~~~~ > > # This file now contains just the overrides from/etc/defaults/rc.conf # > please make all changes to this file. > > # -- sysinstall generated deltas -- # > ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" > hostname="stargate.crcfx.com" > linux_enable="YES" > moused_enable="YES" > gateway_enable="YES" > defaultrouter="63.x.x.217" > # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > natd_enable="YES" > natd_interface="pn0" > named_enable="YES" > > ~~~~~~~~~~~~~~~~~~~ > 'rc.firewall' says: > ~~~~~~~~~~~~~~~~~~~ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.x.x.216" > omask="255.255.255.248" > oip="63.x.x.218" > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.x.x.0" > imask="255.255.255.0" > iip="192.x.x.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} > #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add > deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow ICMP inside only > #$fwcmd add deny icmp from any to any via ${oif} > #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > #$fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > #$fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > $fwcmd add pass udp from ${inet}:${imask} to any 53 > > # Allow stuff to 192 net in from the outside, since we're > # checking after NAT does the conversion > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} > fi > > ~~~~~~~~~~~~~~~~~~~~~~~ > 'whois crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~ > > Whois Server Version 1.1 > > Domain names in the .com, .net, and .org domains can now be registered > with many different competing registrars. Go to http://www.internic.net for > detailed information. > > Domain Name: CRCFX.COM > Registrar: REGISTER.COM, INC. > Whois Server: whois.register.com > Referral URL: www.register.com > Name Server: NS1.PBI.NET > Name Server: STARGATE.CRCFX.COM > Updated Date: 28-apr-200 > > >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< > > The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and > Registrars. > > Access to register.com's WHOIS information is for informational purposes > only. Register.com makes this information available > "as is," and does not guarantee its accuracy. The compilation, repackaging, > dissemination or other use of register.com's WHOIS information in its > entirety, or a substantial portion thereof, is expressly prohibited without > the prior written consent of register.com. By accessing and using our WHOIS > information, you agree to these terms. > > Organization: > Cinema Research Corp > 6860 Lexington Ave > Hollywood, CA 90038 > US > > Registrar..: Register.com (http://www.register.com) > Domain Name: CRCFX.COM > Created on..............: Fri, Mar 24, 2000 > Expires on..............: Sat, Mar 24, 2001 > Record last updated on..: Fri, Apr 28, 2000 > > Administrative Contact: > Smith, Ron ronnetron@hotmail.com > 323-460-4111 > > Technical Contact, Zone Contact: > Internic, Registrar internic-free@register.com > 212-594-988 > > Domain servers in listed order: > > STARGATE.CRCFX.COM 63.x.x.218 > NS1.PBI.NET 206.13.28.11 > > Register your domain name at http://www.register.com > > ~~~~~~~~~~~~~~~~~ > ifconfig -a says: > ~~~~~~~~~~~~~~~~~ > > fxp0: flags=8843 mtu 1500 > inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 > > pn0: flags=8843 mtu 1500 > inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 > > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 'netstat -na crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address (state) > icmp 0 0 *.* *.* > tcp 0 0 *.111 *.* LISTEN > tcp 0 0 127.0.0.1.53 *.* LISTEN > tcp 0 0 63.x.x.218.53 *.* LISTEN > tcp 0 0 192.x.x.1.53 *.* LISTEN > udp 0 0 *.111 *.* > udp 0 0 *.1024 *.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 63.x.x.218.53 *.* > udp 0 0 192.x.x.1.53 *.* > udp 0 0 *.514 *.* > > ~~~~~~~~~~~~~~~~~~~~~ > 'db.crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; Definition of zone crcfx.com > crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, two digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > ; name servers > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > stargate IN A 63.x.x.218 > ns1.pbi.net. IN A 206.13.28.11 > ns2.pbi.net. IN A 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~~~~ > 'crcfx-reverse' says: > ~~~~~~~~~~~~~~~~~~~~~ > > @ IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, 2 digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > > 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. > 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. > 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. > > ~~~~~~~~~~~~~~~~~~~~~ > 'localhost.rev' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 > ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 > peter Exp $ > ; > ; This file is automatically edited by the `make-localhost' script in > ; the /etc/namedb directory. > ; > > @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( > 2000042901 ; Serial > 86400 ; Refresh (1 day) > 7200 ; Retry (2 hours) > 8640000 ; Expire (100 days) > 86400 ) ; Minimum > IN NS stargate.crcfx.com. > 1 IN PTR localhost.crcfx.com. > > ~~~~~~~~~~~~~~~~~~~ > 'resolv.conf' says: > ~~~~~~~~~~~~~~~~~~~ > > domain crcfx.com > nameserver 127.0.0.1 > nameserver 192.x.x.1 > nameserver 63.x.x.218 > nameserver 206.13.28.11 > nameserver 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~ > 'named.conf' says: > ~~~~~~~~~~~~~~~~~~ > > options { > directory "/etc/namedb"; > > forwarders { > 206.13.28.11; > }; > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "localhost.rev"; > }; > > zone "crcfx.com" { > type master; > file "db.crcfx.com"; > }; > > zone "0.x.192.IN-ADDR.ARPA" { > type master; > file "crcfx-reverse"; > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, > > This is a lot to swallow, but they are all the pertinent files, in regards > to the problem. I would appreciate any feedback on how to get our local name > server to do proper zone transfers to our upstream ISP, and to get a proper > 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. > > TIA > Ron > > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue May 23 5:33:44 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 007F537B9B6; Tue, 23 May 2000 05:33:15 -0700 (PDT) (envelope-from mikel@ocsny.com) Received: from ocsny.com (thoth.upan.org [204.107.76.16]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id IAA89254; Tue, 23 May 2000 08:31:02 -0400 (EDT) Message-ID: <392A7B0B.ADB515FD@ocsny.com> Date: Tue, 23 May 2000 08:35:23 -0400 From: Mikel Organization: Optimized Computer Solutions, Inc. X-Mailer: Mozilla 4.73 [en] (Win98; U) X-Accept-Language: en,it MIME-Version: 1.0 To: Ron Smith Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Non-existent domain References: <20000522191733.61404.qmail@hotmail.com> Content-Type: multipart/mixed; boundary="------------C455D02C0A2C666CF8F47901" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. --------------C455D02C0A2C666CF8F47901 Content-Type: multipart/alternative; boundary="------------AA2BA8898E99FD0E9F3CBCFE" --------------AA2BA8898E99FD0E9F3CBCFE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Uh Ron, check your firewall rules....I've taken the liberty in highlighting those that I feel are suspect.... -- Cheers, Mikel +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | Optimized Computer Solutions, Inc http://www.ocsny.com | 39 W14th Street, Suite 203 212 727 2238 x132 | New York, NY 10011 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ Ron Smith wrote: > Hi all, > > O.K. gang I need your help on this one. I have a particular problem that I > can't seem to solve on my own. Here's what's happening: > > I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything > works fine for those on the LAN when browsing HTTP. DNS is also running on > this machine as primary and I have a name server at the ISP as secondary. > However, the problem is that when looking for the domain name "crcfx.com" > out on the web, It's not seen. An error message comes up saying: "A network > error occurred: Unable to connect to server. The server may be down or > unreachable." Also, I don't get a proper response, from outside our LAN, > when doing an 'nslookup stargate.crcfx.com', which has the primary DNS > running locally. This is preventing us from putting other services on-line, > such as 'HTTP' and 'SMTP'. I've talked to several sources (including my > ISP), to no avail. There's lots of confusion all around. I have a suspicion > my problem may stem from the way my zones are set up, or the firewall rules, > but I'm not sure. Anyway, here are the details: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ping 127.0.0.1 (loopback) > ping 192.x.x.1 (inside interface) > ping 63.x.x.218 (outside interface) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > All show 0% packet loss. > > ~~~~~~~~~~~~~~~ > 'rc.conf' says: > ~~~~~~~~~~~~~~~ > > # This file now contains just the overrides from/etc/defaults/rc.conf # > please make all changes to this file. > > # -- sysinstall generated deltas -- # > ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" > hostname="stargate.crcfx.com" > linux_enable="YES" > moused_enable="YES" > gateway_enable="YES" > defaultrouter="63.x.x.217" > # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > natd_enable="YES" > natd_interface="pn0" > named_enable="YES" > > ~~~~~~~~~~~~~~~~~~~ > 'rc.firewall' says: > ~~~~~~~~~~~~~~~~~~~ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.x.x.216" > omask="255.255.255.248" > oip="63.x.x.218" > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.x.x.0" > imask="255.255.255.0" > iip="192.x.x.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} > #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add > deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow ICMP inside only > #$fwcmd add deny icmp from any to any via ${oif} > #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > #$fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > #$fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > $fwcmd add pass udp from ${inet}:${imask} to any 53 > > # Allow stuff to 192 net in from the outside, since we're > # checking after NAT does the conversion > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} > fi > > ~~~~~~~~~~~~~~~~~~~~~~~ > 'whois crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~ > > Whois Server Version 1.1 > > Domain names in the .com, .net, and .org domains can now be registered > with many different competing registrars. Go to http://www.internic.net for > detailed information. > > Domain Name: CRCFX.COM > Registrar: REGISTER.COM, INC. > Whois Server: whois.register.com > Referral URL: www.register.com > Name Server: NS1.PBI.NET > Name Server: STARGATE.CRCFX.COM > Updated Date: 28-apr-200 > > >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< > > The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and > Registrars. > > Access to register.com's WHOIS information is for informational purposes > only. Register.com makes this information available > "as is," and does not guarantee its accuracy. The compilation, repackaging, > dissemination or other use of register.com's WHOIS information in its > entirety, or a substantial portion thereof, is expressly prohibited without > the prior written consent of register.com. By accessing and using our WHOIS > information, you agree to these terms. > > Organization: > Cinema Research Corp > 6860 Lexington Ave > Hollywood, CA 90038 > US > > Registrar..: Register.com (http://www.register.com) > Domain Name: CRCFX.COM > Created on..............: Fri, Mar 24, 2000 > Expires on..............: Sat, Mar 24, 2001 > Record last updated on..: Fri, Apr 28, 2000 > > Administrative Contact: > Smith, Ron ronnetron@hotmail.com > 323-460-4111 > > Technical Contact, Zone Contact: > Internic, Registrar internic-free@register.com > 212-594-988 > > Domain servers in listed order: > > STARGATE.CRCFX.COM 63.x.x.218 > NS1.PBI.NET 206.13.28.11 > > Register your domain name at http://www.register.com > > ~~~~~~~~~~~~~~~~~ > ifconfig -a says: > ~~~~~~~~~~~~~~~~~ > > fxp0: flags=8843 mtu 1500 > inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 > > pn0: flags=8843 mtu 1500 > inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 > > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 'netstat -na crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address (state) > icmp 0 0 *.* *.* > tcp 0 0 *.111 *.* LISTEN > tcp 0 0 127.0.0.1.53 *.* LISTEN > tcp 0 0 63.x.x.218.53 *.* LISTEN > tcp 0 0 192.x.x.1.53 *.* LISTEN > udp 0 0 *.111 *.* > udp 0 0 *.1024 *.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 63.x.x.218.53 *.* > udp 0 0 192.x.x.1.53 *.* > udp 0 0 *.514 *.* > > ~~~~~~~~~~~~~~~~~~~~~ > 'db.crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; Definition of zone crcfx.com > crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, two digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > ; name servers > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > stargate IN A 63.x.x.218 > ns1.pbi.net. IN A 206.13.28.11 > ns2.pbi.net. IN A 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~~~~ > 'crcfx-reverse' says: > ~~~~~~~~~~~~~~~~~~~~~ > > @ IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, 2 digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > > 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. > 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. > 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. > > ~~~~~~~~~~~~~~~~~~~~~ > 'localhost.rev' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 > ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 > peter Exp $ > ; > ; This file is automatically edited by the `make-localhost' script in > ; the /etc/namedb directory. > ; > > @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( > 2000042901 ; Serial > 86400 ; Refresh (1 day) > 7200 ; Retry (2 hours) > 8640000 ; Expire (100 days) > 86400 ) ; Minimum > IN NS stargate.crcfx.com. > 1 IN PTR localhost.crcfx.com. > > ~~~~~~~~~~~~~~~~~~~ > 'resolv.conf' says: > ~~~~~~~~~~~~~~~~~~~ > > domain crcfx.com > nameserver 127.0.0.1 > nameserver 192.x.x.1 > nameserver 63.x.x.218 > nameserver 206.13.28.11 > nameserver 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~ > 'named.conf' says: > ~~~~~~~~~~~~~~~~~~ > > options { > directory "/etc/namedb"; > > forwarders { > 206.13.28.11; > }; > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "localhost.rev"; > }; > > zone "crcfx.com" { > type master; > file "db.crcfx.com"; > }; > > zone "0.x.192.IN-ADDR.ARPA" { > type master; > file "crcfx-reverse"; > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, > > This is a lot to swallow, but they are all the pertinent files, in regards > to the problem. I would appreciate any feedback on how to get our local name > server to do proper zone transfers to our upstream ISP, and to get a proper > 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. > > TIA > Ron > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message --------------AA2BA8898E99FD0E9F3CBCFE Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Uh Ron, check your firewall rules....I've taken the liberty in highlighting those that I feel are suspect....

--
Cheers,
Mikel
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
| Optimized Computer Solutions, Inc        http://www.ocsny.com
| 39 W14th Street, Suite 203                   212 727 2238  x132
| New York, NY 10011
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+

Ron Smith wrote:

Hi all,

O.K. gang I need your help on this one. I have a particular problem that I
can't seem to solve on my own. Here's what's happening:

I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything
works fine for those on the LAN when browsing HTTP. DNS is also running on
this machine as primary and I have a name server at the ISP as secondary.
However, the problem is that when looking for the domain name "crcfx.com"
out on the web, It's not seen. An error message comes up saying: "A network
error occurred: Unable to connect to server. The server may be down or
unreachable." Also, I don't get a proper response, from outside our LAN,
when doing an 'nslookup stargate.crcfx.com', which has the primary DNS
running locally. This is preventing us from putting other services on-line,
such as 'HTTP' and 'SMTP'. I've talked to several sources (including my
ISP), to no avail. There's lots of confusion all around. I have a suspicion
my problem may stem from the way my zones are set up, or the firewall rules,
but I'm not sure. Anyway, here are the details:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ping 127.0.0.1 (loopback)
ping 192.x.x.1 (inside interface)
ping 63.x.x.218 (outside interface)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All show 0% packet loss.

~~~~~~~~~~~~~~~
'rc.conf' says:
~~~~~~~~~~~~~~~

# This file now contains just the overrides from/etc/defaults/rc.conf #
please make all changes to this file.

# -- sysinstall generated deltas -- #
ifconfig_fxp0="inet 192.x.x.1  netmask 255.255.255.0"
ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248"
hostname="stargate.crcfx.com"
linux_enable="YES"
moused_enable="YES"
gateway_enable="YES"
defaultrouter="63.x.x.217"
# -- The following deltas were generated by Ron Smith on Apr. 17, 2000
firewall_enable="YES"
firewall_type="simple"
firewall_script="/etc/rc.firewall"
inetd_enable="NO"
sendmail_enable="NO"
dumpdev=/dev/wd0s1b
natd_enable="YES"
natd_interface="pn0"
named_enable="YES"

~~~~~~~~~~~~~~~~~~~
'rc.firewall' says:
~~~~~~~~~~~~~~~~~~~

# set these to your outside interface network and netmask and ip
oif="pn0"
onet="63.x.x.216"
omask="255.255.255.248"
oip="63.x.x.218"

# set these to your inside interface network and netmask and ip
iif="fxp0"
inet="192.x.x.0"
imask="255.255.255.0"
iip="192.x.x.1"

# Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

# Stop RFC1918 nets on the outside interface
$fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif}
#$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add
deny all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif}

# Allow ICMP inside only
#$fwcmd add deny icmp from any to any via ${oif}
#$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif}

# Allow TCP through if setup succeeded
$fwcmd add pass tcp from any to any established

# Allow setup of incoming email
#$fwcmd add pass tcp from any to ${oip} 25 setup

# Allow access to our DNS
$fwcmd add pass tcp from any to ${oip} 53 setup

# Allow access to our WWW
#$fwcmd add pass tcp from any to ${oip} 80 setup

# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup

# Allow setup of any other TCP connection
$fwcmd add pass tcp from any to any setup

# Allow DNS queries out in the world
$fwcmd add pass udp from any 53 to ${oip}
$fwcmd add pass udp from ${oip} to any 53
$fwcmd add pass udp from ${inet}:${imask} to any 53

# Allow stuff to 192 net in from the outside, since we're
# checking after NAT does the conversion
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif}
$fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif}

# Allow NTP queries out in the world
$fwcmd add pass udp from any 123 to ${oip}
$fwcmd add pass udp from ${oip} to any 123

# Everything else is denied as default.

elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then
$fwcmd ${firewall_type}
fi

~~~~~~~~~~~~~~~~~~~~~~~
'whois crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~

Whois Server Version 1.1

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net for
detailed information.

Domain Name: CRCFX.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: www.register.com
Name Server: NS1.PBI.NET
Name Server: STARGATE.CRCFX.COM
Updated Date: 28-apr-200

>>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

Access to register.com's WHOIS information is for informational purposes
only.  Register.com makes this information available
"as is," and does not guarantee its accuracy.  The compilation, repackaging,
dissemination or other use of register.com's WHOIS information in its
entirety, or a substantial portion thereof, is expressly prohibited without
the prior written consent of register.com.  By accessing and using our WHOIS
information, you agree to these terms.

Organization:
Cinema Research Corp
6860 Lexington Ave
Hollywood, CA 90038
US

Registrar..: Register.com (http://www.register.com)
Domain Name: CRCFX.COM
Created on..............: Fri, Mar 24, 2000
Expires on..............: Sat, Mar 24, 2001
Record last updated on..: Fri, Apr 28, 2000

Administrative Contact:
Smith, Ron  ronnetron@hotmail.com
323-460-4111

Technical Contact, Zone Contact:
Internic, Registrar  internic-free@register.com
212-594-988

Domain servers in listed order:

STARGATE.CRCFX.COM                               63.x.x.218
NS1.PBI.NET                                      206.13.28.11

Register your domain name at http://www.register.com

~~~~~~~~~~~~~~~~~
ifconfig -a says:
~~~~~~~~~~~~~~~~~

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255

pn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'netstat -na crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address         Foreign Address      (state)
icmp       0      0 *.*                   *.*
tcp        0      0 *.111                 *.*                  LISTEN
tcp        0      0 127.0.0.1.53          *.*                  LISTEN
tcp        0      0 63.x.x.218.53         *.*                  LISTEN
tcp        0      0 192.x.x.1.53          *.*                  LISTEN
udp        0      0 *.111                 *.*
udp        0      0 *.1024                *.*
udp        0      0 127.0.0.1.53          *.*
udp        0      0 63.x.x.218.53         *.*
udp        0      0 192.x.x.1.53          *.*
udp        0      0 *.514                 *.*

~~~~~~~~~~~~~~~~~~~~~
'db.crcfx.com' says:
~~~~~~~~~~~~~~~~~~~~~

; Definition of zone crcfx.com
crcfx.com.      IN      SOA     stargate.crcfx.com. root.crcfx.com. (
                2000042901 ; Serial (date, two digits version of day)
                86400   ; refresh (1 day)
                7200    ; retry (2 hours)
                8640000 ; expire (100 days)
                86400 ) ; minimum (1 day)

; name servers
                IN      NS      stargate.crcfx.com.
                IN      NS      ns1.pbi.net.
                IN      NS      ns2.pbi.net.
stargate        IN      A       63.x.x.218
ns1.pbi.net.    IN      A       206.13.28.11
ns2.pbi.net.    IN      A       206.13.29.11

~~~~~~~~~~~~~~~~~~~~~
'crcfx-reverse' says:
~~~~~~~~~~~~~~~~~~~~~

@     IN     SOA   stargate.crcfx.com.      root.crcfx.com. (
                   2000042901 ; Serial (date, 2 digits version of day)
                   86400   ; refresh (1 day)
                   7200    ; retry (2 hours)
                   8640000 ; expire (100 days)
                   86400 ) ; minimum (1 day)

      IN     NS    stargate.crcfx.com.
      IN     NS    ns1.pbi.net.
      IN     NS    ns2.pbi.net.

218.x.x.63.in-addr.arpa         IN      PTR     stargate.crcfx.com.
11.28.13.206.in-addr.arpa       IN      PTR     ns1.pbi.net.
11.29.13.206.in-addr.arpa       IN      PTR     ns2.pbi.net.

~~~~~~~~~~~~~~~~~~~~~
'localhost.rev' says:
~~~~~~~~~~~~~~~~~~~~~

;       From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90
; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29
peter Exp $
;
; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

@     IN     SOA     stargate.crcfx.com. root.stargate.crcfx.com. (
                     2000042901 ; Serial
                     86400      ; Refresh (1 day)
                     7200       ; Retry (2 hours)
                     8640000    ; Expire (100 days)
                     86400 )    ; Minimum
      IN     NS      stargate.crcfx.com.
1     IN     PTR     localhost.crcfx.com.

~~~~~~~~~~~~~~~~~~~
'resolv.conf' says:
~~~~~~~~~~~~~~~~~~~

domain  crcfx.com
nameserver 127.0.0.1
nameserver 192.x.x.1
nameserver 63.x.x.218
nameserver 206.13.28.11
nameserver 206.13.29.11

~~~~~~~~~~~~~~~~~~
'named.conf' says:
~~~~~~~~~~~~~~~~~~

options {
      directory "/etc/namedb";

        forwarders {
              206.13.28.11;
        };

zone "." {
      type hint;
      file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
      type master;
      file "localhost.rev";
};

zone "crcfx.com" {
      type master;
      file "db.crcfx.com";
};

zone "0.x.192.IN-ADDR.ARPA" {
      type master;
      file "crcfx-reverse";

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry,

This is a lot to swallow, but they are all the pertinent files, in regards
to the problem. I would appreciate any feedback on how to get our local name
server to do proper zone transfers to our upstream ISP, and to get a proper
'nslookup stargate.crcfx.com' from outside our LAN ...same thing.

TIA
Ron

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message


 
 
  --------------AA2BA8898E99FD0E9F3CBCFE-- --------------C455D02C0A2C666CF8F47901 Content-Type: text/x-vcard; charset=us-ascii; name="mikel.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mikel Content-Disposition: attachment; filename="mikel.vcf" begin:vcard n:King;Mikel tel;fax:2124638402 tel;home:http://www.upan.org tel;work:2127272100 x-mozilla-html:TRUE org:Optimized Computer Solutions version:2.1 email;internet:mikel@ocsny.com title:Director of Network Operations & Technology adr;quoted-printable:;;39 W14th St.=0D=0ASte 203;New York;NY;10011;US note;quoted-printable:fBSD, PHP, MySql and OCS Rule!!!=0D=0A=0D=0AGoal is to be MS free by the end of 2k. x-mozilla-cpt:;7312 fn:Mikel King end:vcard --------------C455D02C0A2C666CF8F47901-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 16:44:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ch.wks.ch (portls057.worldcom.ch [212.74.155.57]) by hub.freebsd.org (Postfix) with ESMTP id A725537BD6D for ; Wed, 24 May 2000 16:44:01 -0700 (PDT) (envelope-from wks@ch.wks.ch) Received: (from wks@localhost) by ch.wks.ch (8.10.1/8.10.1) id e4ONjJt03226 for freebsd-ipfw@FreeBSD.ORG; Thu, 25 May 2000 01:45:19 +0200 (CEST) Date: Thu, 25 May 2000 01:45:19 +0200 From: Claudio Eichenberger To: freebsd-ipfw@FreeBSD.ORG Subject: cisco 2600 provokes P:88 Message-ID: <20000525014519.D835@wks.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i X-Operating-System: FreeBSD Organisation: WKS Working Solutions GmbH Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG A Cisco 2600 connected to a FreeBSD 3.4 box with ipfw provoques in the '$fwcmd add 65534 deny log ip from any to any' line the following message: Deny P:88 router_IP 224.0.0.10 in via oif Do you have any idea what P:88 is ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 16:59: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 9896A37BD6D for ; Wed, 24 May 2000 16:59:05 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id QAA67738; Wed, 24 May 2000 16:58:59 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200005242358.QAA67738@gndrsh.dnsmgr.net> Subject: Re: cisco 2600 provokes P:88 In-Reply-To: <20000525014519.D835@wks.ch> from Claudio Eichenberger at "May 25, 2000 01:45:19 am" To: wks@wks.ch (Claudio Eichenberger) Date: Wed, 24 May 2000 16:58:59 -0700 (PDT) Cc: freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > A Cisco 2600 connected to a FreeBSD 3.4 box with ipfw provoques in the '$fwcmd add 65534 deny log ip from any to any' line the following message: > > Deny P:88 router_IP 224.0.0.10 in via oif > > Do you have any idea what P:88 is ? That would be Protocol 88, EIGPR. See /etc/protocols for things printed P:xx. Your cisco is running the interior routing protocol EIGPR. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 17: 4:56 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ns.itga.com.au (ns.itga.com.au [202.53.40.210]) by hub.freebsd.org (Postfix) with ESMTP id 90C1337BD6D for ; Wed, 24 May 2000 17:04:49 -0700 (PDT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA81675; Thu, 25 May 2000 10:04:45 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from itga.com.au (lightning.itga.com.au [192.168.71.20]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id KAA25043; Thu, 25 May 2000 10:04:45 +1000 (EST) Message-Id: <200005250004.KAA25043@lightning.itga.com.au> X-Mailer: exmh version 2.0.1 12/23/97 From: Gregory Bond To: Claudio Eichenberger Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: cisco 2600 provokes P:88 In-reply-to: Your message of Thu, 25 May 2000 01:45:19 +0200. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 May 2000 10:04:44 +1000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Do you have any idea what P:88 is ? hellcat$ grep 88 /etc/protocols eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco) hellcat$ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 18:19:45 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from hotmail.com (law-f48.hotmail.com [209.185.130.36]) by hub.freebsd.org (Postfix) with SMTP id 9A40B37B6F8 for ; Wed, 24 May 2000 18:19:37 -0700 (PDT) (envelope-from ronnetron@hotmail.com) Received: (qmail 90761 invoked by uid 0); 25 May 2000 01:19:36 -0000 Message-ID: <20000525011936.90760.qmail@hotmail.com> Received: from 63.203.116.218 by www.hotmail.com with HTTP; Wed, 24 May 2000 18:19:35 PDT X-Originating-IP: [63.203.116.218] From: "Ron Smith" To: freebsd-ipfw@freebsd.org Cc: freebsd-security@freebsd.org Subject: sunrpc Date: Wed, 24 May 2000 18:19:35 PDT Mime-Version: 1.0 Content-Type: text/plain; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close 'sunrpc' on port 111. I can't seem to find anything specific on how to do that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet Firewalls". 'netstat -na ' still shows port 111 listening on both 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone point me in the right direction? TIA Ron Smith ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 18:31:39 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id 0040637B6F8; Wed, 24 May 2000 18:31:30 -0700 (PDT) (envelope-from todd@flyingcroc.net) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id SAA26925; Wed, 24 May 2000 18:30:52 -0700 (PDT) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Wed, 24 May 2000 18:30:52 -0700 (PDT) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: Ron Smith Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc In-Reply-To: <20000525011936.90760.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "sockstat" will help you out... On Wed, 24 May 2000, Ron Smith wrote: > Hi all, > > I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close > 'sunrpc' on port 111. I can't seem to find anything specific on how to do > that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet > Firewalls". 'netstat -na ' still shows port 111 listening on both > 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone > point me in the right direction? > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 18:31:42 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 2831737BBBF; Wed, 24 May 2000 18:31:31 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA29281; Thu, 25 May 2000 11:31:28 +1000 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA13772; Thu, 25 May 2000 11:31:27 +1000 (EST) Message-Id: <200005250131.LAA13772@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Ron Smith" Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc In-Reply-To: Your message of "Wed, 24 May 2000 18:19:35 PDT." <20000525011936.90760.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 25 May 2000 11:31:27 +1000 From: Tony Landells Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG RPC is actually controlled by the portmapper. You can disable it (assuming you have no other services that want it) by setting portmap_enable="NO". Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 24 18:33:15 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from usui.sc.newnet.co.uk (usui.sc.newnet.co.uk [212.87.80.10]) by hub.freebsd.org (Postfix) with ESMTP id 0BEC837BC9C; Wed, 24 May 2000 18:33:06 -0700 (PDT) (envelope-from peter@newnet.co.uk) Received: from newnet.co.uk (muktananda.sys.newnet.co.uk [212.87.87.37]) by usui.sc.newnet.co.uk (8.9.3/8.9.3) with ESMTP id CAA05220; Thu, 25 May 2000 02:33:11 +0100 (GMT/BST) Message-ID: <392C82A9.72A4F673@newnet.co.uk> Date: Thu, 25 May 2000 02:32:25 +0100 From: Peter Coates Organization: South Coast NOC Support Team X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Ron Smith Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc References: <20000525011936.90760.qmail@hotmail.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi Ron, The following two lines should block traffic to port 111 They should be before any rules which enable traffic. ipfw add deny tcp from any to any 111 ipfw add deny udp from any to any 111 Regards, Peter ********************* http://www.newnet.co.uk FASTEST ISP in the UK - 100% availability ********************* Internet Magazine - hosting tests Dec 1999 Ron Smith wrote: > > Hi all, > > I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close > 'sunrpc' on port 111. I can't seem to find anything specific on how to do > that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet > Firewalls". 'netstat -na ' still shows port 111 listening on both > 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone > point me in the right direction? > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 25 8:20:39 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from entropy.tmok.com (entropy.tmok.com [204.17.163.11]) by hub.freebsd.org (Postfix) with ESMTP id 6DA2C37C539; Thu, 25 May 2000 08:20:24 -0700 (PDT) (envelope-from wonko@entropy.tmok.com) Received: (from wonko@localhost) by entropy.tmok.com (8.9.3/8.9.3) id LAA59553; Thu, 25 May 2000 11:26:25 -0400 (EDT) From: Brian Hechinger Message-Id: <200005251526.LAA59553@entropy.tmok.com> Subject: question about natd/ipfw To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Date: Thu, 25 May 2000 11:26:25 -0400 (EDT) Reply-To: wonko@entropy.tmok.com X-Useless-Header: why? because i can. X-Organization: The Ministry of Knowledge X-Dreams: an OpenWin that is based on current MIT X11 releases X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG NOTE: sorry for the cross-post, tell me which list is more appropriate and i'll drop the other one. a freebsd user has been helping me with this, but this is out of his realm of experience. i am setting up a NAT box/router for my Covad/DCA Net DSL link. i will have two sets of outside IP addresses, a single IP address that will be bound to my outside interface which comes from covad, and a /29 block from DCA Net. the /29 will be routed through the outside interface into the NAT box, and from there i want to be able to use them as an "outside NAT pool" externally they will just look like an average domain, but that i will be able to redirect as i please internally. so, my question is: what do i do with the /29? do i create aliases on my outside interface for them all? do i create aliases on my inside interface for them all? do i bind them to lo0? attatching them to the outside interface seems wrong to me as well as attatching them to the inside interface since they should be listened to on either interface, hence my thought to bind them to the loopback device since i view these things as being "virtual" ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected traffic? thanks, -brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 25 9:34:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay.ultimanet.com (relay.ultimanet.com [205.179.129.1]) by hub.freebsd.org (Postfix) with ESMTP id 49CB037C970 for ; Thu, 25 May 2000 09:33:53 -0700 (PDT) (envelope-from randy@Cloudfactory.ORG) Received: from Cloudfactory.ORG (cloudfactory.org [205.179.129.18]) by relay.ultimanet.com (8.9.3/8.9.3) with ESMTP id KAA07940 for ; Thu, 25 May 2000 10:28:23 -0700 Message-Id: <200005251728.KAA07940@relay.ultimanet.com> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: question about natd/ipfw In-Reply-To: Message from Brian Hechinger of "Thu, 25 May 2000 11:26:25 EDT." <200005251526.LAA59553@entropy.tmok.com> Date: Thu, 25 May 2000 09:35:02 -0700 From: Randy Primeaux Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Did they delegate to you a single IP out of a /24, and a delegated /29 ? If so, it sounds to me like the delegated the /29 CIDR block to you in a way that you could connect their DSL bridge to your edge router, then on the inside of your edge router would like the netblock, and behind that would be second router running NAT. DSL <-> static router <-/29-> NAT router <-> private LAN. modem / cat5 / freebsd0 / hub0 / freebsd1 / hub1 / other hosts For reference of Variable Length Subnet Table, see rfc1878. Brian Hechinger writes: > NOTE: sorry for the cross-post, tell me which list is more appropriate and i' > ll > drop the other one. > > a freebsd user has been helping me with this, but this is out of his realm of > experience. i am setting up a NAT box/router for my Covad/DCA Net DSL link. > > i will have two sets of outside IP addresses, a single IP address that will b > e > bound to my outside interface which comes from covad, and a /29 block from > DCA Net. the /29 will be routed through the outside interface into the NAT > box, and from there i want to be able to use them as an "outside NAT pool" > externally they will just look like an average domain, but that i will be abl > e > to redirect as i please internally. > > so, my question is: what do i do with the /29? do i create aliases on my > outside interface for them all? do i create aliases on my inside interface > for them all? do i bind them to lo0? attatching them to the outside interfac > e > seems wrong to me as well as attatching them to the inside interface since > they should be listened to on either interface, hence my thought to bind them > to the loopback device since i view these things as being "virtual" > > ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected traffi > c? > > > thanks, > > -brian > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Randy Primeaux randy@cloudfactory.org http://cloudfactory.org/~randy/ tranze@hyperreal.org http://hyperreal.org/~tranze/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 25 11:14:16 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from rapidnet.com (rapidnet.com [205.164.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 95DE037B58C; Thu, 25 May 2000 11:14:09 -0700 (PDT) (envelope-from nick@rapidnet.com) Received: from localhost (nick@localhost) by rapidnet.com (8.9.3/8.9.3) with ESMTP id MAA81370; Thu, 25 May 2000 12:14:03 -0600 (MDT) Date: Thu, 25 May 2000 12:14:03 -0600 (MDT) From: Nick Rogness To: wonko@entropy.tmok.com Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: question about natd/ipfw In-Reply-To: <200005251526.LAA59553@entropy.tmok.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 25 May 2000, Brian Hechinger wrote: > i will have two sets of outside IP addresses, a single IP address that will be > bound to my outside interface which comes from covad, and a /29 block from > DCA Net. the /29 will be routed through the outside interface into the NAT > box, and from there i want to be able to use them as an "outside NAT pool" > externally they will just look like an average domain, but that i will be able > to redirect as i please internally. They just statically routed a /29 subnet to your outside IP. Nothing unusual about that. Just set natd to handle them. It is not very hard to implement...see below. > > so, my question is: what do i do with the /29? do i create aliases on my > outside interface for them all? do i create aliases on my inside interface > for them all? do i bind them to lo0? attatching them to the outside interface NO. do not bind them to your interfaces. NATd will take care of all of that for you. FOr example, if your net looked like this: A B DSL --> (Outside ethernet interface)==FreeBSD==(Inside interface) At point A, setup your interface as the single outside IP that was given to you. At point B, you do nothing, keep your inside IP's the way they are. In ipfw rules: ipfw add 150 divert natd ip from any to any (outside_interface) In your nat setup (/etc/natd.conf): interface outside_interface port 8668 redirect_address inside_ip_A outside_IP_from_/29 redirect_address inside_ip_B outside_IP_from_/29 redirect_address inside_ip_C outside_IP_from_/29 redirect_address inside_ip_D outside_IP_from_/29 redirect_address inside_ip_E outside_IP_from_/29 redirect_address inside_ip_F outside_IP_from_/29 Start natd: /sbin/natd -f /etc/natd.conf This setup will allow you to shift which outside IP goes to which internal IP. You can use redirect_port if you wish for more security. > seems wrong to me as well as attatching them to the inside interface since > they should be listened to on either interface, hence my thought to bind them > to the loopback device since i view these things as being "virtual" > NO. DO no binding. It will not work. > ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected > traffic? That is because you must add the natd ipfw rule from above and setup nat to handle them. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri May 26 1: 1:34 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from Inter.barmentlo.net (inter.barmentlo.net [195.38.241.249]) by hub.freebsd.org (Postfix) with ESMTP id 8DF0237B5E4; Fri, 26 May 2000 01:01:27 -0700 (PDT) (envelope-from patrick@barmentlo.net) Received: from mail.barmentlo.net (cable.barmentlo.net [195.38.232.12]) by Inter.barmentlo.net (8.9.3/8.9.2) with ESMTP id KAA27631; Fri, 26 May 2000 10:01:26 +0200 (CEST) Received: from localhost (pbm@localhost) by mail.barmentlo.net (8.10.0/8.9.2) with ESMTP id e4Q81Ql87224; Fri, 26 May 2000 10:01:26 +0200 (CEST) Date: Fri, 26 May 2000 10:01:25 +0200 (CEST) From: Patrick Barmentlo X-Sender: pbm@anthrax.barmentlo.net To: Ron Smith Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: sunrpc In-Reply-To: <20000525011936.90760.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hai, why not deny all by default and just allow what you want instead ? (most be a lot less rules then..;-) patrick On Wed, 24 May 2000, Ron Smith wrote: > Hi all, > > I'm running FreeBSD v3.4, and have 'ipfw' in place. I'd like to close > 'sunrpc' on port 111. I can't seem to find anything specific on how to do > that at freebsd.org or in "The Complete FreeBSD" or "Building Inernet > Firewalls". 'netstat -na ' still shows port 111 listening on both > 'tcp' and 'udp', even though 'rc.conf' has 'inetd_enable="NO"'. Can anyone > point me in the right direction? > > TIA > Ron Smith > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > -- Patrick Barmentlo patrick@barmentlo.nl - pgp key ID 0x8E372335 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri May 26 6:45:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from bsdhome.dyndns.org (rdu25-18-195.nc.rr.com [24.25.18.195]) by hub.freebsd.org (Postfix) with ESMTP id 2506437BC75 for ; Fri, 26 May 2000 06:45:30 -0700 (PDT) (envelope-from bsd@bsdhome.com) Received: from vger.bsdhome.com (vger [192.168.220.2]) by bsdhome.dyndns.org (8.9.3/8.9.3) with ESMTP id JAA21934 for ; Fri, 26 May 2000 09:47:27 -0400 (EDT) (envelope-from bsd@bsdhome.com) Received: from localhost (bsd@localhost) by vger.bsdhome.com (8.9.3/8.9.3) with ESMTP id JAA12347; Fri, 26 May 2000 09:45:28 -0400 (EDT) (envelope-from bsd@vger.bsdhome.com) Date: Fri, 26 May 2000 09:45:28 -0400 (EDT) From: Brian Dean To: freebsd-ipfw@freebsd.org Subject: ipfw log message question Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, Several of these showed up in my ipfw logs yesterday for the first time. Can someone explain what caused this? The rule number appears to be '-1'. What's going on here? (I've replaced the actual IP numbers to protect the innocent). No port numbers were specified with the addresses. May 25 17:45:26 smtp /kernel: ipfw: -1 Refuse TCP in via xl1 Fragment = 184 This is on 4.0-STABLE cvs update'd around May 19. Thanks, -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri May 26 16:49:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fw.matchcraft.com (fw.matchcraft.com [207.155.101.2]) by hub.freebsd.org (Postfix) with ESMTP id A7AFE37B850 for ; Fri, 26 May 2000 16:49:08 -0700 (PDT) (envelope-from tony@matchcraft.com) Received: from mail.matchcraft.com (ns.matchcraft.com [172.16.0.159]) by fw.matchcraft.com (Postfix) with ESMTP id A618D561C9 for ; Fri, 26 May 2000 16:47:37 -0700 (PDT) Received: from matchcraft.com (sleestack [172.16.0.231]) by mail.matchcraft.com (Postfix) with ESMTP id 82F8C2EFA5 for ; Fri, 26 May 2000 16:48:42 -0700 (PDT) Message-ID: <392F0D73.E15077E1@matchcraft.com> Date: Fri, 26 May 2000 16:49:07 -0700 From: Tony Hayes X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IP/Port Forwarding Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hey, I got one I've been trying to figure out for the last two weeks... Here's the situations: I have a FreeBSD box running both ipfw and natd. I need to be able to forward any ssh packets coming in to the external interface to an interal address at the same port. ie. I want to be able to ssh from anywhere on the outside and be forwarded to an internal box. Here's the rule list I'm using: ipfw add divert natd all from any to any via fxp1 ipfw add allow ip from any to any via lo0 ipfw add deny ip from any to 127.0.0.1 ipfw add allow ip from any to any ipfw add allow tcp from any to any ipfw add allow udp from any to any -Default rule is deny ip from any to any. natd -p 8668 -n fxp1 -redirect_port tcp 172.16.0.250:22 209.157.63.5:22 This appears to half work. natd only shows incoming traffic destined for the internal address. I ran natd in verbose mode to make sure the aliasing was correct (which it was). I ran a tcpdump on the internal box, and saw the packets coming and going on port 22. The problem is, the aliasing seems only to be working in one direction(incoming). None of the outgoing packets go through the fw. In the verbose output of natd, it shows "IN" for the incoming packets and "OUT" for the outgoing. I could see the incoming ssh packets and could verify they are aliased for the correct destination. The problem was that there were no outgoing packets for ssh. There were other outgoing packets, but none for ssh. This seems very odd to me because I could see ssh packets coming in on the internal box, yet none of the packets are aliased back to the origional source. Any help would be greatly appreciated. Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message