Date: Fri, 12 May 2000 14:49:44 -0400 From: "Steffen Vorrix" <steffen@ntr.net> To: <freebsd-ipfw@freebsd.org> Subject: Reverse DNS problem Message-ID: <001601bfbc42$d6f3ab60$fd03a8c0@ws028>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] This may not be the place to post this question, but I originally posted on freebsd-questions and didn't get any response. I have a problem that I believe is related to IPFW and reverse DNS, but I am not completely sure. I am having trouble connecting to an ftp server from my corporate office with any client you choose, from CuteFTP 9X/NT machines to console ftp from FreeBSD boxes, INCLUDING the firewall console. Both locations are protected by FreeBSD firewalls. At the server end, I actually have TWO FTP servers running that I am connecting to that are running Microsoft FTP under IIS. (I know, believe me, that these are the worst ever FTP daemons) One of the servers has a reverse DNS entry, and the other doesn't. The one WITH the reverse DNS entry works just fine. I can log in and send/recieve files just fine from any client at the corporate office, inluding the firewall console. On the server WITHOUT the reverse DNS entry, I can log in, but I cannot transfer anything at all, in either active or passive mode. It tells me that it is opening the port, then it just appears to stop responding. However, anybody else from the outside world can connect just fine. My thought is that the firewall on the corporate end of things is blocking the traffic comming from the server without a reverse DNS. I know these Checkpoint by ISS and Raptor by Eagle can do this, as I have worked with both of those. (They are bloody expensive, too, which is why my boss put in FreeBSD.) Here is what I have done so far to try and test my theory: I setup another FreeBSD computer connected directly to the router at the corporate office. When I am using this new FreeBSD box under the generic kernel with all apporpriate firewall rules commented out from rc.conf, everything works fine, and I can send and receive files to each of the Microsoft FTP servers. However, as soon as I boot with the firewall kernel from this new FreeBSD box with the appropriate lines turned on in rc.conf and rc.firewall, the server with the reverse DNS entry works fine, but the server without the reverse DNS entry will not do any transfers, etc. I was think that perhaps there was a flag, similiar in nature to the DENY RFC 931 in the hosts.allow that would filter out anyone without a reverse DNS entry. Oh, and the firewall rules on the new BSD box are the same as on the current firewall. Those rules are (from ipfw list): 100 divert 8668 ip from any to any via dc0 105 allow ip from any to any Is there such a flag, or do I have something else going on? Since the servers are under my control, I am sure that I can have the ISP add a reverse DNS entry, but what happens when I find someone without a reverse DNS entry that I need to connect to? Oh, and I added each of the server entries into the /etc/hosts file in an effort to fix the problem, but that had no impact. Any help/insight would be GREATLY appreciated. Thanks so much in advance... Chris Schremser ZirMed.com steffen@ntr.net chriss@zirmed.com [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content="text/html; charset=iso-8859-1" http-equiv=Content-Type> <META content="MSHTML 5.00.2920.0" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>This may not be the place to post this question, but I originally posted on freebsd-questions and didn't get any response. </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>I have a problem that I believe is related to IPFW and reverse DNS, but I am not completely sure. I am having trouble connecting to an ftp server from my corporate office with any client you choose, from CuteFTP 9X/NT machines to console ftp from FreeBSD boxes, INCLUDING the firewall console. Both locations are protected by FreeBSD firewalls. At the server end, I actually have TWO FTP servers running </FONT><FONT face=Arial size=2>that I am connecting to that are running Microsoft FTP under IIS. (I know, believe me, that these are the worst ever FTP daemons) One of the servers has a reverse DNS entry, and the other doesn't. The one WITH the reverse DNS entry works just fine. I can log in and send/recieve files just fine from any client at the corporate office, inluding the firewall console. On the server WITHOUT the reverse DNS entry, I can log in, but I cannot transfer anything at all, in either active or passive mode. It tells me that it is opening the port, then it just appears to stop responding. However, anybody else from the outside world can connect just fine. My thought is that the firewall on the corporate end of things is blocking the traffic comming from the server without a reverse DNS. I know these Checkpoint by ISS and Raptor by Eagle can do this, as I have worked with both of those. (They are bloody expensive, too, which is why my boss put in FreeBSD.)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Here is what I have done so far to try and test my theory</FONT><FONT face=Arial size=2>:</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>I setup another FreeBSD computer connected directly to the router at the corporate office. W</FONT><FONT face=Arial size=2>hen I am using this new FreeBSD box under the generic kernel with all apporpriate firewall rules commented out from rc.conf, everything works fine, and I can send and receive files to each of the Microsoft FTP servers. However, as soon as I boot with the firewall kernel from this new FreeBSD box with the appropriate lines turned on in rc.conf and rc.firewall, the server with the reverse DNS entry works fine, but the server without the reverse DNS entry will not do any transfers, etc. I was think that perhaps there was a flag, similiar in nature to the DENY RFC 931 in the hosts.allow that would filter out anyone without a reverse DNS entry.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Oh, and the firewall rules on the new BSD box are the same as on the current firewall. Those rules are (from ipfw list):</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>100 divert 8668 ip from any to any via dc0</FONT></DIV> <DIV><FONT face=Arial size=2>105 allow ip from any to any</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Is there such a flag, or do I have something else going on? Since the servers are under my control, I am sure that I can have the ISP add a reverse DNS entry, but what happens when I find someone without a reverse DNS entry that I need to connect to? </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Oh, and I added each of the server entries into the /etc/hosts file in an effort to fix the problem, but that had no impact. Any help/insight would be GREATLY appreciated.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=2>Thanks so much in advance...</FONT></DIV> <DIV><FONT face=Arial size=2>Chris Schremser</FONT></DIV> <DIV><FONT face=Arial size=2>ZirMed.com</FONT></DIV> <DIV><FONT face=Arial size=2><A href="mailto:steffen@ntr.net">steffen@ntr.net</A></FONT></DIV> <DIV><FONT face=Arial size=2><A href="mailto:chriss@zirmed.com">chriss@zirmed.com</A></FONT></DIV> <DIV> </DIV> <DIV> </DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001601bfbc42$d6f3ab60$fd03a8c0>