From owner-freebsd-isp Mon Apr 23 10:59:10 2001 Delivered-To: freebsd-isp@freebsd.org Received: from smtp.kka.com (smtp.kka.com [63.141.65.2]) by hub.freebsd.org (Postfix) with ESMTP id D068C37B422 for ; Mon, 23 Apr 2001 10:59:02 -0700 (PDT) (envelope-from Eric_Stanfield@kenokozie.com) Subject: Re: dns transfer through ipfw keep-state rule not working To: Peter Brezny Cc: freebsd-isp@freebsd.org X-Mailer: Lotus Notes Release 5.0.2a November 23, 1999 Message-ID: From: Eric_Stanfield@kenokozie.com Date: Mon, 23 Apr 2001 12:58:22 -0500 X-MIMETrack: Serialize by Router on Notes1st/Keno(Release 5.0.4 |June 8, 2000) at 04/23/2001 12:58:29 PM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps it's just a typo, but you aren't allowing zone transfers from 209.16.228.146 in your named.conf file. FW Rule: $fwcmd add allow all from 209.16.228.146 to $ns1 Named.conf: allow-transfer { 209.16.228.140; //virtual/ns2 207.230.75.34; //ns1.deltacom.net 207.230.75.50; }; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Eric Stanfield, K2Access Keno Kozie Associates 222 N LaSalle #1500 Chicago, IL 60606 (312) 332-3000 Peter Brezny cc: Sent by: Subject: dns transfer through ipfw keep-state rule not working owner-freebsd-isp@F reeBSD.ORG 04/23/01 12:24 PM In a somewhat desperate attempt to convince my firewall to allow our upstream provider to perform a zone transfer, I've added the following line to the ipfw firewall. $fwcmd add allow all from 209.16.228.146 to $ns1 keep-state in via $oif However, this is still not allowing a zone transfer. On occasion, the secondary will write a file with a somewhat garbled name for the zone to be transfered, but it is blank. This firewall entry however, works. $fwcmd add allow all from 209.16.228.146 to $ns1 in via $oif $fwcmd add allow all from $ns1 to 209.16.228.146 out via $oif Why doesn't the above dynamic rule work? My rc.conf options section is as follows. TIA, pb // $FreeBSD: src/etc/namedb/named.conf,v 1.6.2.1 2000/07/15 07:49:29 kris Exp $ options { directory "/etc/namedb"; forwarders { 207.230.75.34; //ns1.deltacom.net 207.230.75.50; //ns2.deltacom.net 206.191.128.46; //c2901.wa.net 199.166.24.1; }; //ns1.vrx.net allow-transfer { 209.16.228.140; //virtual/ns2 207.230.75.34; //ns1.deltacom.net 207.230.75.50; }; //ns2.deltacom.net query-source address 209.16.228.145 port 53; transfer-source 209.16.228.145; listen-on { 209.16.228.145; 209.16.228.150; }; dump-file "s/named_dump.db"; pid-file "s/named.pid"; }; //end of options Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message