From owner-freebsd-questions  Tue Oct 29 14:16:36 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0562537B401
	for <questions@FreeBSD.ORG>; Tue, 29 Oct 2002 14:16:35 -0800 (PST)
Received: from server.simon1.net (user23.net263.oh.sprint-hsd.net [208.17.71.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3716C43E42
	for <questions@FreeBSD.ORG>; Tue, 29 Oct 2002 14:16:34 -0800 (PST)
	(envelope-from simon1@server.simon1.net)
Received: from server.simon1.net (localhost [127.0.0.1])
	by server.simon1.net (8.12.5/8.12.5) with ESMTP id g9TMGZHa005403;
	Tue, 29 Oct 2002 17:16:35 -0500 (EST)
Received: from localhost (simon1@localhost)
	by server.simon1.net (8.12.5/8.12.5/Submit) with ESMTP id g9TMGZQA005400;
	Tue, 29 Oct 2002 17:16:35 -0500 (EST)
Date: Tue, 29 Oct 2002 17:16:35 -0500 (EST)
From: Simon1 <simon1@server.simon1.net>
To: C KH <dubbified@hotmail.com>
Cc: <questions@FreeBSD.ORG>
Subject: Re: Can't connect to DNS servers -- Firewall prob?
In-Reply-To: <F88vQd2vkqujAYzRaA60001a353@hotmail.com>
Message-ID: <20021029170909.F4893-100000@server.simon1.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> Actually I neglected to mention I also have this rule:
>
> #       Allow all traffic from internal lan
>         $fwcmd add allow all from 192.168.0.0/16 to any

How is this box configured?

If it's setup to act as a gateway:

LOCAL_LAN (192.168.x.x) ---->	Interface A
					|
					Server
					|
Internet ($externam_ip)		---->	Interface B

The DNS servers are going to be on the Internet, from what you posted,
which means that your server isn't connecting to it as 192.168.x.x, but
isntead as $external_ip_address. So, allowing the 192.168.x.x network to
access anything isn't going to work -- because as far as the server is
concerned it's using $external_ip.


You need a rule allowing whatever address its using for the *internet* to
connect to the nameserver.

To use a (made up) example:
	I setup a gateway machine for NAT & etc. Local LAN address is
192.168.0.1, external address is 100.10.10.1

When the system accesses the internal network, it'll make use if the
192.168.0.1 address, but when it goes out on the internet (on the second
network card) it'll use the 100.10.10.1

If the DNS servers aren't on the 192.168.x.x LAN, and are on the internet
instead, you'll need to add a rule to allow "100.10.10.1" (aka your
external IP) to access the
DNS servers.

-Wolfe



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message