From owner-freebsd-ipfw Mon May 22 12:50: 0 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from arf.bussert.COM (arf.bussert.com [209.183.67.130]) by hub.freebsd.org (Postfix) with ESMTP id 5B89537BB5A; Mon, 22 May 2000 12:49:44 -0700 (PDT) (envelope-from matheny@bussert.com) Received: from localhost (matheny@localhost) by arf.bussert.COM (8.9.3/8.9.3) with ESMTP id PAA09142; Mon, 22 May 2000 15:19:23 -0500 (EST) (envelope-from matheny@bussert.com) Date: Mon, 22 May 2000 15:19:23 -0500 (EST) From: Blake Matheny To: Ron Smith Cc: freebsd-net@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: Non-existent domain In-Reply-To: <20000522191733.61404.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I had this problem before, I had to add an A record in dns on the firewall for the web server. For instance, let's say bussert.com was hosted at 111.111.111.111, I had to add that in the dns records. add teh following records to be able to browse: @ IN A ipaddressofwebserver www IN A ipaddressofwebserver the first line will allow for resolation of crcfx.com, the second line will allow of resolution of www.crcfx.com. I /think/ that answered your question, but I was a little unclear, let me know if that helps. -Blake Blake Matheny Bussert Consulting Network Engineer (765)423-2100 matheny@bussert.com On Mon, 22 May 2000, Ron Smith wrote: > Hi all, > > O.K. gang I need your help on this one. I have a particular problem that I > can't seem to solve on my own. Here's what's happening: > > I've configured a dual-homed, DSL gateway with NAT and IPFILTER. Everything > works fine for those on the LAN when browsing HTTP. DNS is also running on > this machine as primary and I have a name server at the ISP as secondary. > However, the problem is that when looking for the domain name "crcfx.com" > out on the web, It's not seen. An error message comes up saying: "A network > error occurred: Unable to connect to server. The server may be down or > unreachable." Also, I don't get a proper response, from outside our LAN, > when doing an 'nslookup stargate.crcfx.com', which has the primary DNS > running locally. This is preventing us from putting other services on-line, > such as 'HTTP' and 'SMTP'. I've talked to several sources (including my > ISP), to no avail. There's lots of confusion all around. I have a suspicion > my problem may stem from the way my zones are set up, or the firewall rules, > but I'm not sure. Anyway, here are the details: > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ping 127.0.0.1 (loopback) > ping 192.x.x.1 (inside interface) > ping 63.x.x.218 (outside interface) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > All show 0% packet loss. > > ~~~~~~~~~~~~~~~ > 'rc.conf' says: > ~~~~~~~~~~~~~~~ > > # This file now contains just the overrides from/etc/defaults/rc.conf # > please make all changes to this file. > > # -- sysinstall generated deltas -- # > ifconfig_fxp0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_pn0="inet 63.x.x.218 netmask 255.255.255.248" > hostname="stargate.crcfx.com" > linux_enable="YES" > moused_enable="YES" > gateway_enable="YES" > defaultrouter="63.x.x.217" > # -- The following deltas were generated by Ron Smith on Apr. 17, 2000 > firewall_enable="YES" > firewall_type="simple" > firewall_script="/etc/rc.firewall" > inetd_enable="NO" > sendmail_enable="NO" > dumpdev=/dev/wd0s1b > natd_enable="YES" > natd_interface="pn0" > named_enable="YES" > > ~~~~~~~~~~~~~~~~~~~ > 'rc.firewall' says: > ~~~~~~~~~~~~~~~~~~~ > > # set these to your outside interface network and netmask and ip > oif="pn0" > onet="63.x.x.216" > omask="255.255.255.248" > oip="63.x.x.218" > > # set these to your inside interface network and netmask and ip > iif="fxp0" > inet="192.x.x.0" > imask="255.255.255.0" > iip="192.x.x.1" > > # Stop spoofing > $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} > $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} > > # Stop RFC1918 nets on the outside interface > $fwcmd add deny all from 192.x.0.0:255.255.0.0 to any via ${oif} > #$fwcmd add deny all from any to 192.x.0.0:255.255.0.0 via ${oif} $fwcmd add > deny all from 172.16.0.0:255.240.0.0 to any via ${oif} > $fwcmd add deny all from any to 172.16.0.0:255.240.0.0 via ${oif} > $fwcmd add deny all from 10.0.0.0:255.0.0.0 to any via ${oif} > $fwcmd add deny all from any to 10.0.0.0:255.0.0.0 via ${oif} > > # Allow ICMP inside only > #$fwcmd add deny icmp from any to any via ${oif} > #$fwcmd add allow icmp from ${inet}:${imask} to ${inet}:${imask} via ${iif} > > # Allow TCP through if setup succeeded > $fwcmd add pass tcp from any to any established > > # Allow setup of incoming email > #$fwcmd add pass tcp from any to ${oip} 25 setup > > # Allow access to our DNS > $fwcmd add pass tcp from any to ${oip} 53 setup > > # Allow access to our WWW > #$fwcmd add pass tcp from any to ${oip} 80 setup > > # Reject&Log all setup of incoming connections from the outside > $fwcmd add deny log tcp from any to any in via ${oif} setup > > # Allow setup of any other TCP connection > $fwcmd add pass tcp from any to any setup > > # Allow DNS queries out in the world > $fwcmd add pass udp from any 53 to ${oip} > $fwcmd add pass udp from ${oip} to any 53 > $fwcmd add pass udp from ${inet}:${imask} to any 53 > > # Allow stuff to 192 net in from the outside, since we're > # checking after NAT does the conversion > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${oif} > $fwcmd add allow udp from any 53 to ${inet}:${imask} via ${iif} > > # Allow NTP queries out in the world > $fwcmd add pass udp from any 123 to ${oip} > $fwcmd add pass udp from ${oip} to any 123 > > # Everything else is denied as default. > > elif [ "${firewall_type}" != "UNKNOWN" -a -r "${firewall_type}" ]; then > $fwcmd ${firewall_type} > fi > > ~~~~~~~~~~~~~~~~~~~~~~~ > 'whois crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~ > > Whois Server Version 1.1 > > Domain names in the .com, .net, and .org domains can now be registered > with many different competing registrars. Go to http://www.internic.net for > detailed information. > > Domain Name: CRCFX.COM > Registrar: REGISTER.COM, INC. > Whois Server: whois.register.com > Referral URL: www.register.com > Name Server: NS1.PBI.NET > Name Server: STARGATE.CRCFX.COM > Updated Date: 28-apr-200 > > >>>Last update of whois database: Wed, 3 May 00 04:41:29 EDT <<< > > The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and > Registrars. > > Access to register.com's WHOIS information is for informational purposes > only. Register.com makes this information available > "as is," and does not guarantee its accuracy. The compilation, repackaging, > dissemination or other use of register.com's WHOIS information in its > entirety, or a substantial portion thereof, is expressly prohibited without > the prior written consent of register.com. By accessing and using our WHOIS > information, you agree to these terms. > > Organization: > Cinema Research Corp > 6860 Lexington Ave > Hollywood, CA 90038 > US > > Registrar..: Register.com (http://www.register.com) > Domain Name: CRCFX.COM > Created on..............: Fri, Mar 24, 2000 > Expires on..............: Sat, Mar 24, 2001 > Record last updated on..: Fri, Apr 28, 2000 > > Administrative Contact: > Smith, Ron ronnetron@hotmail.com > 323-460-4111 > > Technical Contact, Zone Contact: > Internic, Registrar internic-free@register.com > 212-594-988 > > Domain servers in listed order: > > STARGATE.CRCFX.COM 63.x.x.218 > NS1.PBI.NET 206.13.28.11 > > Register your domain name at http://www.register.com > > ~~~~~~~~~~~~~~~~~ > ifconfig -a says: > ~~~~~~~~~~~~~~~~~ > > fxp0: flags=8843 mtu 1500 > inet 192.x.x.1 netmask 0xffffff00 broadcast 192.x.x.255 > > pn0: flags=8843 mtu 1500 > inet 63.x.x.218 netmask 0xfffffff8 broadcast 63.x.x.223 > > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > 'netstat -na crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address (state) > icmp 0 0 *.* *.* > tcp 0 0 *.111 *.* LISTEN > tcp 0 0 127.0.0.1.53 *.* LISTEN > tcp 0 0 63.x.x.218.53 *.* LISTEN > tcp 0 0 192.x.x.1.53 *.* LISTEN > udp 0 0 *.111 *.* > udp 0 0 *.1024 *.* > udp 0 0 127.0.0.1.53 *.* > udp 0 0 63.x.x.218.53 *.* > udp 0 0 192.x.x.1.53 *.* > udp 0 0 *.514 *.* > > ~~~~~~~~~~~~~~~~~~~~~ > 'db.crcfx.com' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; Definition of zone crcfx.com > crcfx.com. IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, two digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > ; name servers > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > stargate IN A 63.x.x.218 > ns1.pbi.net. IN A 206.13.28.11 > ns2.pbi.net. IN A 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~~~~ > 'crcfx-reverse' says: > ~~~~~~~~~~~~~~~~~~~~~ > > @ IN SOA stargate.crcfx.com. root.crcfx.com. ( > 2000042901 ; Serial (date, 2 digits version of day) > 86400 ; refresh (1 day) > 7200 ; retry (2 hours) > 8640000 ; expire (100 days) > 86400 ) ; minimum (1 day) > > IN NS stargate.crcfx.com. > IN NS ns1.pbi.net. > IN NS ns2.pbi.net. > > 218.x.x.63.in-addr.arpa IN PTR stargate.crcfx.com. > 11.28.13.206.in-addr.arpa IN PTR ns1.pbi.net. > 11.29.13.206.in-addr.arpa IN PTR ns2.pbi.net. > > ~~~~~~~~~~~~~~~~~~~~~ > 'localhost.rev' says: > ~~~~~~~~~~~~~~~~~~~~~ > > ; From: @(#)localhost.rev 5.1 (Berkeley) 6/30/90 > ; $FreeBSD: src/etc/namedb/PROTO.localhost.rev,v 1.4.2.1 1999/08/29 14:19:29 > peter Exp $ > ; > ; This file is automatically edited by the `make-localhost' script in > ; the /etc/namedb directory. > ; > > @ IN SOA stargate.crcfx.com. root.stargate.crcfx.com. ( > 2000042901 ; Serial > 86400 ; Refresh (1 day) > 7200 ; Retry (2 hours) > 8640000 ; Expire (100 days) > 86400 ) ; Minimum > IN NS stargate.crcfx.com. > 1 IN PTR localhost.crcfx.com. > > ~~~~~~~~~~~~~~~~~~~ > 'resolv.conf' says: > ~~~~~~~~~~~~~~~~~~~ > > domain crcfx.com > nameserver 127.0.0.1 > nameserver 192.x.x.1 > nameserver 63.x.x.218 > nameserver 206.13.28.11 > nameserver 206.13.29.11 > > ~~~~~~~~~~~~~~~~~~ > 'named.conf' says: > ~~~~~~~~~~~~~~~~~~ > > options { > directory "/etc/namedb"; > > forwarders { > 206.13.28.11; > }; > > zone "." { > type hint; > file "named.root"; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "localhost.rev"; > }; > > zone "crcfx.com" { > type master; > file "db.crcfx.com"; > }; > > zone "0.x.192.IN-ADDR.ARPA" { > type master; > file "crcfx-reverse"; > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Sorry, > > This is a lot to swallow, but they are all the pertinent files, in regards > to the problem. I would appreciate any feedback on how to get our local name > server to do proper zone transfers to our upstream ISP, and to get a proper > 'nslookup stargate.crcfx.com' from outside our LAN ...same thing. > > TIA > Ron > > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message