SLP9 - DNS on FW with MASQ
I'm fairly new to SuSE 9.0 and am running a small network with firewall on a SuSE Prof 9.0 box, with Linux and NT2000 machines behind it. I have implemented masquerading and the Squid proxy server with no problem. I can get BIND9 to run happily on a SP9 box behind the firewall, but cannot get it to run ON the firewall. I think that DNS is set up ok, as everything runs fine on the firewall when using SuSEfirewall2 test (i.e. no firewall as no packets droped). I really need some help here! My firewall settings are as follows. FW_QUICKMODE="no" FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="domain www 3128" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data DNS" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128 0/0,192.168.0.0/24,tcp,21,3128" FW_REDIRECT="192.168.0.0/24,0/0,udp,80,3128 192.168.0.0/24,0/0,udp,21,3128" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" Thanks! Dave Barnes
On Sunday 08 February 2004 18.17, David Barnes MSc wrote:
I'm fairly new to SuSE 9.0 and am running a small network with firewall on a SuSE Prof 9.0 box, with Linux and NT2000 machines behind it.
I have implemented masquerading and the Squid proxy server with no problem.
I can get BIND9 to run happily on a SP9 box behind the firewall, but cannot get it to run ON the firewall.
I think that DNS is set up ok, as everything runs fine on the firewall when using SuSEfirewall2 test (i.e. no firewall as no packets droped).
I really need some help here!
Your config looks fine. I can only offer this experience I've had: if the firewall is started (or restarted) after the name server has started, the name server stops working and will have to be restarted (rcnamed restart). After a restart, it works fine.
* David Barnes MSc;
FW_SERVICES_INT_TCP="domain www 3128" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data DNS"
DNS in TCP is used only in zone tranfers should it becomes necessary normally you would not put DNS here
FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
I would add DNS here. domain means port 53 only when you have DNS then SuSEfirewall2 checks the entries in your /etc/resolv.conf and add the nameservers as permitted sources -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Made the changes below and also tried restarting rcnamed after the firewall, as suggested by Togan and Anders. Got the following result on the firewall: kimberly:/etc # dig www.blueyonder.co.uk @127.0.0.1 ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @127.0.0.1 ;; global options: printcmd ;; connection timed out; no servers could be reached kimberly:/etc # dig www.blueyonder.co.uk @192.168.0.1 ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1 ;; global options: printcmd ;; connection timed out; no servers could be reached Also tried to the firewall from another linux box: beverly:/home/dbarnes # dig www.blueyonder.co.uk @192.168.0.1 ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1 ;; global options: printcmd ;; connection timed out; no servers could be reached and using an external dns server: beverly:/home/dbarnes # dig www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64485 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.blueyonder.co.uk. IN A ;; ANSWER SECTION: www.blueyonder.co.uk. 4525 IN A 62.30.31.86 ;; AUTHORITY SECTION: blueyonder.co.uk. 22657 IN NS ns.blueyonder.co.uk. blueyonder.co.uk. 22657 IN NS ns2.blueyonder.co.uk. blueyonder.co.uk. 22657 IN NS ns3.cableinet.net. ;; ADDITIONAL SECTION: ns.blueyonder.co.uk. 22657 IN A 195.188.53.114 ns2.blueyonder.co.uk. 22657 IN A 195.188.53.113 ns3.cableinet.net. 122 IN A 194.117.152.85 ;; Query time: 2 msec ;; SERVER: 192.168.0.3#53(192.168.0.3) ;; WHEN: Sun Feb 8 18:59:53 2004 ;; MSG SIZE rcvd: 168 So, no change really - dns from the firewall still doesn't work, but dns from _behind_ the firewall does. Totally bewildered by this! ----------------------------------------------------------------------------------------------------------------- On Sunday 08 February 2004 17:47, Togan Muftuoglu wrote:
* David Barnes MSc;
on 08 Feb, 2004 wrote: FW_SERVICES_INT_TCP="domain www 3128" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data DNS"
DNS in TCP is used only in zone tranfers should it becomes necessary normally you would not put DNS here
FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
I would add DNS here. domain means port 53 only when you have DNS then SuSEfirewall2 checks the entries in your /etc/resolv.conf and add the nameservers as permitted sources
--
Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC.
Nisi defectum, haud refiecendum
* David Barnes MSc;
Made the changes below and also tried restarting rcnamed after the firewall, as suggested by Togan and Anders. So, no change really - dns from the firewall still doesn't work, but dns from _behind_ the firewall does. Totally bewildered by this!
what is your /etc/resolv.conf for the boxes behind the firewall -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
On Sunday 08 February 2004 20:11, Togan Muftuoglu wrote:
* David Barnes MSc;
on 08 Feb, 2004 wrote: Made the changes below and also tried restarting rcnamed after the firewall, as suggested by Togan and Anders. So, no change really - dns from the firewall still doesn't work, but dns from _behind_ the firewall does. Totally bewildered by this!
what is your /etc/resolv.conf for the boxes behind the firewall
The resolv.conf for beverly is search barnes nameserver 192.168.0.3 nameserver 194.117.152.85 where 192.168.0.3 = beverly = intranet nameserver, and the resolve.conf for the firewall = 192.168.0.1 = kimberly is search barnes #nameserver 192.168.0.3 nameserver 127.0.0.1 nameserver 194.117.152.85 NB: removing the commented line makes no difference.
--
Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC.
Nisi defectum, haud refiecendum
On Sunday 08 February 2004 21.58, David Barnes wrote:
nameserver 127.0.0.1 nameserver 194.117.152.85
two nameservers? You're worried it might not be able to contact localhost? :) What forwarders are you using in your bind config? Do you get any "DROP" lines in /var/log/messages when you dig @localhost ?
On Sunday 08 February 2004 21:01, Anders Johansson wrote:
On Sunday 08 February 2004 21.58, David Barnes wrote:
nameserver 127.0.0.1 nameserver 194.117.152.85
two nameservers? You're worried it might not be able to contact localhost? :) I can contact the local host - it just doesn't do any good. With only localhost I get:
kimberly:/etc # dig www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk ;; global options: printcmd ;; connection timed out; no servers could be reached With both lines I get: kimberly:/etc # dig www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48593 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.blueyonder.co.uk. IN A ;; ANSWER SECTION: www.blueyonder.co.uk. 14400 IN A 62.30.31.86 ;; AUTHORITY SECTION: blueyonder.co.uk. 28800 IN NS ns.blueyonder.co.uk. blueyonder.co.uk. 28800 IN NS ns2.blueyonder.co.uk. blueyonder.co.uk. 28800 IN NS ns3.cableinet.net. ;; ADDITIONAL SECTION: ns.blueyonder.co.uk. 28800 IN A 195.188.53.114 ns2.blueyonder.co.uk. 28800 IN A 195.188.53.113 ns3.cableinet.net. 28800 IN A 194.117.152.85 ;; Query time: 17 msec ;; SERVER: 194.117.152.85#53(194.117.152.85) ;; WHEN: Sun Feb 8 22:55:29 2004 ;; MSG SIZE rcvd: 168
What forwarders are you using in your bind config?
forwarders { 194.117.152.85; };
Do you get any "DROP" lines in /var/log/messages when you dig @localhost ?
SuSE-FW-ILLEGAL-TARGET IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=202.12.27.33 DST=82.33.145.89 LEN=308 TOS=0x00 PREC=0x00 TTL=53 ID=17066 PROTO=UDP SPT=53 DPT=53 LEN=288 The firewall is definitely blocking the packets, because the dns works from the firewall if I run the firewall in test mode. (Unless I'm wrong, of course!)
Oops! made a mistake in my last post - there are no DROP lines in /var/log/ messages when I do "dig @localhost www.blueyonder.co.uk" but the status is "REFUSED". Sorry about that. kimberly:/var/lib/named/log # dig @localhost www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> @localhost www.blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 54762 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.blueyonder.co.uk. IN A ;; Query time: 13 msec ;; SERVER: ::1#53(localhost) ;; WHEN: Tue Feb 10 15:28:27 2004 ;; MSG SIZE rcvd: 38
I now have a definitive situation. When trying to resolve host names: 1.) From a server running BIND9 behind the firewall server - both local and internet queries work correctly 2.) From the firewall server running BIND9 - the local query works correctly but the internet query fails as follows. 2.1.) Running firewall in TEST mode I get dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - success with status NOERROR 2.2.) Running firewall in normal mode I get dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - failure with status REFUSED and the following DROP lines in /var/log/messages Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85 DST=82.33.145.89 LEN=207 TOS=0x10 PREC=0x00 TTL=250 ID=46136 DF PROTO=UDP SPT=53 DPT=53 LEN=187 Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85 DST=82.33.145.89 LEN=475 TOS=0x10 PREC=0x00 TTL=250 ID=46137 DF PROTO=UDP SPT=53 DPT=53 LEN=455 3.) Running the firewall in normal mode and setting FW_SERVICES_EXT_TCP="domain" dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - success with status NOERROR BUT port 53 on the firewall is open! My problem is this - how can I get the firewall to alow DNS queries from the firewall machine to the internet without opening port 53? I have had this configuation working before in version 7.0, 8,1 and 8.2 - but I just can't get it to work this way in 9.0 for some reason.
participants (4)
-
Anders Johansson
-
David Barnes
-
David Barnes MSc
-
Togan Muftuoglu