Date: Fri, 12 May 2000 14:49:44 -0400 From: "Steffen Vorrix" <steffen@ntr.net> To: <freebsd-ipfw@freebsd.org> Subject: Reverse DNS problem Message-ID: <001601bfbc42$d6f3ab60$fd03a8c0@ws028>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0013_01BFBC21.4F589010 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This may not be the place to post this question, but I originally posted = on freebsd-questions and didn't get any response.=20 I have a problem that I believe is related to IPFW and reverse DNS, but = I am not completely sure. I am having trouble connecting to an ftp = server from my corporate office with any client you choose, from CuteFTP = 9X/NT machines to console ftp from FreeBSD boxes, INCLUDING the firewall = console. Both locations are protected by FreeBSD firewalls. At the = server end, I actually have TWO FTP servers running that I am connecting = to that are running Microsoft FTP under IIS. (I know, believe me, that = these are the worst ever FTP daemons) One of the servers has a reverse = DNS entry, and the other doesn't. The one WITH the reverse DNS entry = works just fine. I can log in and send/recieve files just fine from any = client at the corporate office, inluding the firewall console. On the = server WITHOUT the reverse DNS entry, I can log in, but I cannot = transfer anything at all, in either active or passive mode. It tells me = that it is opening the port, then it just appears to stop responding. = However, anybody else from the outside world can connect just fine. My = thought is that the firewall on the corporate end of things is blocking = the traffic comming from the server without a reverse DNS. I know these = Checkpoint by ISS and Raptor by Eagle can do this, as I have worked with = both of those. (They are bloody expensive, too, which is why my boss = put in FreeBSD.) Here is what I have done so far to try and test my theory: I setup another FreeBSD computer connected directly to the router at the = corporate office. When I am using this new FreeBSD box under the = generic kernel with all apporpriate firewall rules commented out from = rc.conf, everything works fine, and I can send and receive files to each = of the Microsoft FTP servers. However, as soon as I boot with the = firewall kernel from this new FreeBSD box with the appropriate lines = turned on in rc.conf and rc.firewall, the server with the reverse DNS = entry works fine, but the server without the reverse DNS entry will not = do any transfers, etc. I was think that perhaps there was a flag, = similiar in nature to the DENY RFC 931 in the hosts.allow that would = filter out anyone without a reverse DNS entry. Oh, and the firewall rules on the new BSD box are the same as on the = current firewall. Those rules are (from ipfw list): 100 divert 8668 ip from any to any via dc0 105 allow ip from any to any Is there such a flag, or do I have something else going on? Since the = servers are under my control, I am sure that I can have the ISP add a = reverse DNS entry, but what happens when I find someone without a = reverse DNS entry that I need to connect to?=20 Oh, and I added each of the server entries into the /etc/hosts file in = an effort to fix the problem, but that had no impact. Any help/insight = would be GREATLY appreciated. Thanks so much in advance... Chris Schremser ZirMed.com steffen@ntr.net chriss@zirmed.com ------=_NextPart_000_0013_01BFBC21.4F589010 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>This may not be the place to post this = question,=20 but I originally posted on freebsd-questions and didn't get any = response.=20 </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>I have a problem that I believe is = related to IPFW=20 and reverse DNS, but I am not completely sure. I am having trouble = connecting to an ftp server from my corporate office with any client you = choose,=20 from CuteFTP 9X/NT machines to console ftp from FreeBSD = boxes, INCLUDING=20 the firewall console. Both locations are protected by FreeBSD=20 firewalls. At the server end, I actually have TWO FTP servers = running </FONT><FONT face=3DArial size=3D2>that I am connecting to=20 that are running Microsoft FTP under IIS. (I know, = believe me,=20 that these are the worst ever FTP daemons) One of the servers has = a=20 reverse DNS entry, and the other doesn't. The one WITH the reverse = DNS=20 entry works just fine. I can log in and send/recieve files just = fine from=20 any client at the corporate office, inluding the firewall console. = On the=20 server WITHOUT the reverse DNS entry, I can log in, but I cannot = transfer=20 anything at all, in either active or passive mode. It tells me = that it is=20 opening the port, then it just appears to stop responding. = However,=20 anybody else from the outside world can connect just fine. My = thought is=20 that the firewall on the corporate end of things is blocking the traffic = comming=20 from the server without a reverse DNS. I know = these Checkpoint by ISS=20 and Raptor by Eagle can do this, as I have worked with both of = those. =20 (They are bloody expensive, too, which is why my boss put in=20 FreeBSD.)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Here is what I have done so far to try = and test my=20 theory</FONT><FONT face=3DArial size=3D2>:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I setup another FreeBSD computer = connected directly=20 to the router at the corporate office. W</FONT><FONT face=3DArial = size=3D2>hen=20 I am using this new FreeBSD box under the generic kernel with all = apporpriate=20 firewall rules commented out from rc.conf, everything works fine, and I = can send=20 and receive files to each of the Microsoft FTP servers. However, = as soon=20 as I boot with the firewall kernel from this new FreeBSD box with the=20 appropriate lines turned on in rc.conf and rc.firewall, the server with = the=20 reverse DNS entry works fine, but the server without the reverse DNS = entry will=20 not do any transfers, etc. I was think that perhaps there was a = flag,=20 similiar in nature to the DENY RFC 931 in the hosts.allow that would = filter out=20 anyone without a reverse DNS entry.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Oh, and the firewall rules on the new = BSD box are=20 the same as on the current firewall. Those rules are (from ipfw=20 list):</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>100 divert 8668 ip from any to any via=20 dc0</FONT></DIV> <DIV><FONT face=3DArial size=3D2>105 allow ip from any to = any</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Is there such a flag, or do I have = something else=20 going on? Since the servers are under my control, I am sure that I = can=20 have the ISP add a reverse DNS entry, but what happens when I find = someone=20 without a reverse DNS entry that I need to connect = to? </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Oh, and I added each of the server = entries into the=20 /etc/hosts file in an effort to fix the problem, but that had no = impact. =20 Any help/insight would be GREATLY appreciated.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Thanks so much in = advance...</FONT></DIV> <DIV><FONT face=3DArial size=3D2>Chris Schremser</FONT></DIV> <DIV><FONT face=3DArial size=3D2>ZirMed.com</FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"mailto:steffen@ntr.net">steffen@ntr.net</A></FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"mailto:chriss@zirmed.com">chriss@zirmed.com</A></FONT></DIV> <DIV> </DIV> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_0013_01BFBC21.4F589010-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001601bfbc42$d6f3ab60$fd03a8c0>