From owner-freebsd-net  Tue Mar 13 13:17:34 2001
Delivered-To: freebsd-net@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 88BA737B728
	for <freebsd-net@FreeBSD.ORG>; Tue, 13 Mar 2001 13:17:30 -0800 (PST)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f2DLl8814317;
	Tue, 13 Mar 2001 15:47:08 -0600 (CST)
	(envelope-from nick@rogness.net)
Date: Tue, 13 Mar 2001 15:47:08 -0600 (CST)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Peter Brezny <peter@black.purplecat.net>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: problem with secondary dns update through ipfw firewall
In-Reply-To: <Pine.BSF.4.05.10103131533440.17531-100000@black.purplecat.net>
Message-ID: <Pine.BSF.4.21.0103131539180.11657-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 13 Mar 2001, Peter Brezny wrote:

> I've got a problem with secondary DNS servers not being able to get
> updates from my primary through it's firewall.
> 
> The firewall rules on the primary dns server (pertaining to dns) look
> like this.  I thought I had my bases covered...
> 
> 
> #       Allow DNS traffic from internet to query your DNS (for reverse
> #       lookups etc).
>         $fwcmd add allow tcp from any 53 to $ns1 53 setup
>         $fwcmd add allow udp from any to $ns1 53
>         $fwcmd add allow udp from $ns1 53 to any

	You are only allowing the setup of the zone transfer.  You need to
	allow established traffic as well (tcp port 53).
	
	$fwdcmd add allow tcp from any 53 to any 53

	This isn't very secure though.  You can more specific ipfw rules
	that make this a little more secure.


> 
> I've also got:
> 
>         query-source address 209.16.228.145 port 53;
> 
> In my named.conf on the primary dns server...
> 
> However when secondaries create zone files, they are blank.  I get the
> feeling it's a firewall problem because, when i configure the
> secondaries to use an internal address of the primary dns server
> (which has a keep-state allow all internal rule) in my test
> environment, the updates occur as expected.

	yes, it is a firewall issue.

Nick Rogness <nick@rogness.net>
- Keep on routing in a Free World...  
  "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message