From owner-freebsd-ipfw Fri May 12 11:49:25 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ntr.net (ha1.ntr.net [206.112.0.10]) by hub.freebsd.org (Postfix) with ESMTP id 36BE937BEA2 for ; Fri, 12 May 2000 11:48:54 -0700 (PDT) (envelope-from steffen@ntr.net) Received: from ws028 ([208.60.70.194]) by ntr.net (8.9.3/8.9.3) with SMTP id OAA22093 for ; Fri, 12 May 2000 14:49:34 -0400 (EDT) Message-ID: <001601bfbc42$d6f3ab60$fd03a8c0@ws028> From: "Steffen Vorrix" To: Subject: Reverse DNS problem Date: Fri, 12 May 2000 14:49:44 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0013_01BFBC21.4F589010" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0013_01BFBC21.4F589010 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable This may not be the place to post this question, but I originally posted = on freebsd-questions and didn't get any response.=20 I have a problem that I believe is related to IPFW and reverse DNS, but = I am not completely sure. I am having trouble connecting to an ftp = server from my corporate office with any client you choose, from CuteFTP = 9X/NT machines to console ftp from FreeBSD boxes, INCLUDING the firewall = console. Both locations are protected by FreeBSD firewalls. At the = server end, I actually have TWO FTP servers running that I am connecting = to that are running Microsoft FTP under IIS. (I know, believe me, that = these are the worst ever FTP daemons) One of the servers has a reverse = DNS entry, and the other doesn't. The one WITH the reverse DNS entry = works just fine. I can log in and send/recieve files just fine from any = client at the corporate office, inluding the firewall console. On the = server WITHOUT the reverse DNS entry, I can log in, but I cannot = transfer anything at all, in either active or passive mode. It tells me = that it is opening the port, then it just appears to stop responding. = However, anybody else from the outside world can connect just fine. My = thought is that the firewall on the corporate end of things is blocking = the traffic comming from the server without a reverse DNS. I know these = Checkpoint by ISS and Raptor by Eagle can do this, as I have worked with = both of those. (They are bloody expensive, too, which is why my boss = put in FreeBSD.) Here is what I have done so far to try and test my theory: I setup another FreeBSD computer connected directly to the router at the = corporate office. When I am using this new FreeBSD box under the = generic kernel with all apporpriate firewall rules commented out from = rc.conf, everything works fine, and I can send and receive files to each = of the Microsoft FTP servers. However, as soon as I boot with the = firewall kernel from this new FreeBSD box with the appropriate lines = turned on in rc.conf and rc.firewall, the server with the reverse DNS = entry works fine, but the server without the reverse DNS entry will not = do any transfers, etc. I was think that perhaps there was a flag, = similiar in nature to the DENY RFC 931 in the hosts.allow that would = filter out anyone without a reverse DNS entry. Oh, and the firewall rules on the new BSD box are the same as on the = current firewall. Those rules are (from ipfw list): 100 divert 8668 ip from any to any via dc0 105 allow ip from any to any Is there such a flag, or do I have something else going on? Since the = servers are under my control, I am sure that I can have the ISP add a = reverse DNS entry, but what happens when I find someone without a = reverse DNS entry that I need to connect to?=20 Oh, and I added each of the server entries into the /etc/hosts file in = an effort to fix the problem, but that had no impact. Any help/insight = would be GREATLY appreciated. Thanks so much in advance... Chris Schremser ZirMed.com steffen@ntr.net chriss@zirmed.com ------=_NextPart_000_0013_01BFBC21.4F589010 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
This may not be the place to post this = question,=20 but I originally posted on freebsd-questions and didn't get any = response.=20
 
I have a problem that I believe is = related to IPFW=20 and reverse DNS, but I am not completely sure.  I am having trouble = connecting to an ftp server from my corporate office with any client you = choose,=20 from CuteFTP 9X/NT machines to console ftp from FreeBSD = boxes, INCLUDING=20 the firewall console.  Both locations are protected by FreeBSD=20 firewalls.  At the server end, I actually have TWO FTP servers = running that I am connecting to=20 that are running Microsoft FTP under IIS.  (I know, = believe me,=20 that these are the worst ever FTP daemons)  One of the servers has = a=20 reverse DNS entry, and the other doesn't.  The one WITH the reverse = DNS=20 entry works just fine.  I can log in and send/recieve files just = fine from=20 any client at the corporate office, inluding the firewall console.  = On the=20 server WITHOUT the reverse DNS entry, I can log in, but I cannot = transfer=20 anything at all, in either active or passive mode.  It tells me = that it is=20 opening the port, then it just appears to stop responding.  = However,=20 anybody else from the outside world can connect just fine.  My = thought is=20 that the firewall on the corporate end of things is blocking the traffic = comming=20 from the server without a reverse DNS.  I know = these Checkpoint by ISS=20 and Raptor by Eagle can do this, as I have worked with both of = those. =20 (They are bloody expensive, too, which is why my boss put in=20 FreeBSD.)
 
Here is what I have done so far to try = and test my=20 theory:
 
I setup another FreeBSD computer = connected directly=20 to the router at the corporate office.  When=20 I am using this new FreeBSD box under the generic kernel with all = apporpriate=20 firewall rules commented out from rc.conf, everything works fine, and I = can send=20 and receive files to each of the Microsoft FTP servers.  However, = as soon=20 as I boot with the firewall kernel from this new FreeBSD box with the=20 appropriate lines turned on in rc.conf and rc.firewall, the server with = the=20 reverse DNS entry works fine, but the server without the reverse DNS = entry will=20 not do any transfers, etc.  I was think that perhaps there was a = flag,=20 similiar in nature to the DENY RFC 931 in the hosts.allow that would = filter out=20 anyone without a reverse DNS entry.
 
Oh, and the firewall rules on the new = BSD box are=20 the same as on the current firewall.  Those rules are (from ipfw=20 list):
 
100 divert 8668 ip from any to any via=20 dc0
105 allow ip from any to = any
 
Is there such a flag, or do I have = something else=20 going on?  Since the servers are under my control, I am sure that I = can=20 have the ISP add a reverse DNS entry, but what happens when I find = someone=20 without a reverse DNS entry that I need to connect = to? 
 
Oh, and I added each of the server = entries into the=20 /etc/hosts file in an effort to fix the problem, but that had no = impact. =20 Any help/insight would be GREATLY appreciated.
 
Thanks so much in = advance...
Chris Schremser
ZirMed.com
steffen@ntr.net
chriss@zirmed.com
 
 
------=_NextPart_000_0013_01BFBC21.4F589010-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message