Date: Sun, 16 Dec 2001 01:13:14 -0600 From: "Dustin Puryear" <dpuryear@usa.net> To: <freebsd-isp@freebsd.org> Subject: Public DNS server and FreeBSD firewall Message-ID: <PGECILGGNJGDPJKLFEMIKELFCJAA.dpuryear@usa.net> In-Reply-To: <107624744755.20011211191506@buz.ch>
next in thread | previous in thread | raw e-mail | index | archive | help
I am setting up a public DNS server and having a bit of a problem figuring out why it cannot query outside of our network. I am using FreeBSD 4.4-RELEASE on both the DNS server and firewall. Basically, when I try to resolve a host outside of my network the local named times out: Server: XXXXX.com Address: 10.0.0.5 *** XXXXXX.com can't find www.cdrom.com: Non-existent host/domain > www.google.com Server: XXXXX.com Address: 10.0.0.5 *** XXXX.com can't find www.google.com: Non-existent host/domain > I can't figure out why, and darn if I am not getting any denied packet log entries in /var/log/security on the firewall. I am using static NAT, with my DNS server having the internal address 10.0.0.5, but an external address of aa.bb.cc.dd. The ipfw entries that appear relevant are: # internal DNS.. 03000 allow udp from ww.xx.yy.zz to any 53 keep-state 03100 allow tcp from ww.xx.yy.zz to any 53 keep-state # this is the public DNS server.. 03200 allow udp from aa.bb.cc.dd to any 53 keep-state 03300 allow tcp from aa.bb.cc.dd to any 53 keep-state This should allow my name servers to access any outside name servers right? I even get dynamic rules that indicate some type of connection is being attempted: 03200 0 0 (T 29, # 91) ty 0 udp, aa.bb.cc.dd 1196 <-> 66.135.0.10 53 Despite this entry the local named still times out. The wierd thing is that the named running on the firewall, ww.xx.yy.zz (internal 10.0.0.1), works. But the named running on aa.bb.cc.dd (10.0.0.5) doesn't. Note, the entire ruleset follows if you need more information: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow ip from any to any via nge0 00500 deny ip from 10.0.0.0/24 to any in recv rl0 00600 deny ip from public-network-XXX/26 to any in recv nge0 00700 deny ip from any to 10.0.0.0/8 via rl0 00800 deny ip from any to 172.16.0.0/12 via rl0 00900 deny ip from any to 192.168.0.0/16 via rl0 01000 deny ip from any to 0.0.0.0/8 via rl0 01100 deny ip from any to 169.254.0.0/16 via rl0 01200 deny ip from any to 192.0.2.0/24 via rl0 01300 deny ip from any to 224.0.0.0/4 via rl0 01400 deny ip from any to 240.0.0.0/4 via rl0 01500 divert 8668 ip from any to any via rl0 01600 deny ip from 10.0.0.0/8 to any via rl0 01700 deny ip from 172.16.0.0/12 to any via rl0 01800 deny ip from 192.168.0.0/16 to any via rl0 01900 deny ip from 0.0.0.0/8 to any via rl0 02000 deny ip from 169.254.0.0/16 to any via rl0 02100 deny ip from 192.0.2.0/24 to any via rl0 02200 deny ip from 224.0.0.0/4 to any via rl0 02300 deny ip from 240.0.0.0/4 to any via rl0 02400 allow tcp from any to any established 02500 allow ip from any to any frag 02800 allow tcp from any to any 22 keep-state 02900 allow icmp from any to any keep-state 03000 deny log logamount 10 tcp from any to any in recv rl0 setup 03100 allow tcp from any to any setup 03200 allow udp from ww.xx.yy.zz to any 53 keep-state 03300 allow tcp from ww.xx.yy.zz to any 53 keep-state 03400 allow udp from aa.bb.cc.dd to any 53 keep-state 03500 allow tcp from aa.bb.cc.dd to any 53 keep-state 65535 deny ip from any to any Regards, Dustin --- Dustin Puryear <dpuryear@usa.net> Information Systems Consultant http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams > -----Original Message----- > From: Gabriel Ambuehl [mailto:gabriel_ambuehl@buz.ch] > Sent: Tuesday, December 11, 2001 12:15 PM > To: Dustin Puryear > Cc: isp@freebsd.org > Subject: Re[10]: Using DNAT and DNS round-robin > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hello Dustin, > > Tuesday, December 11, 2001, 6:29:35 PM, you wrote: > > Yes, that is what I eventually found out. Apparently, unless you > > have some type of special gear, you cannot do IP-based virtual > > hosting in a > > load-sharing or -balancing environment. Now, doing HA might not be > > too much work depending on what your requirements for switch over > > time are. > > <10s is doable with standard gear. <1s is quite a bit harder but > perhaps still doable. > > >> That's nice. I wished I were in the same situation... > > Yes, it is nice. I have yet to do work for a company providing web > > hosting to consumers, but I can see how it would have some real > > challenges. But it > > It certainly has. > > > synchronization issue. NAS being one. A second is using a few > > "shell" servers that automatically get replicated to your web > > servers seems to be another. > > I've been thinking about that approach too, but it doesn't buy you > much since there are still that morons that use the FS as DB... > > >> Squid should do the job too, more flexibly, but probably slower. > > I played with Squid and it works nicely. Indeed, I liked the fact > > that with Squid I can make my web cluster disappear from outsiders > > and use Squid as a reverse proxy. However, since we dropped the > > requirement for IP-based virtual hosting the point is moot. We will > > be using just a standard configuration where we will DNS > > round-robin between web servers. > > That's the easiest approach, of course. OTOH, I haven't got a very > high opinion of DNS round robin since it essentially still lets the > remote client fuck it up... > > > > > Best regards, > Gabriel > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5i > > iQEVAwUBPBY/HcZa2WpymlDxAQFoUQgAuCZrFy8u5EILeyiLBgjtLuRVcLhX8ItT > 3LfKOnw2ve513rx4F6gT9nVNrapH4jWYtidrBla4Z8xtH3N6Yem9r53To6xCqYpd > GMxv8RZdxuZtXCV92CnDxeKGIZ89nPBPFAsC6sQkDPX3jThf9+t6jI59J9rroqq+ > rwP63//vR8Pq63//Q7Lc7/TgAE6jJHs0nAXadiq1mUSwFZVF+nUgPYU3BnN9iyud > 7CLLxYnArXguGZRx2wfdskPiZ7ZCSl5mC78kUimTDHLXrV2VofyzjIJWBcWyMzNA > d9fo9b9OtDKRj3Hnvj5MpDjJySaxDBsyY15NaecYlAVazQIWuRMUyQ== > =5dpk > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PGECILGGNJGDPJKLFEMIKELFCJAA.dpuryear>