Made the changes below and also tried restarting rcnamed after the firewall, as suggested by Togan and Anders. Got the following result on the firewall: kimberly:/etc # dig www.blueyonder.co.uk @127.0.0.1 ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @127.0.0.1 ;; global options: printcmd ;; connection timed out; no servers could be reached kimberly:/etc # dig www.blueyonder.co.uk @192.168.0.1 ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1 ;; global options: printcmd ;; connection timed out; no servers could be reached Also tried to the firewall from another linux box: beverly:/home/dbarnes # dig www.blueyonder.co.uk @192.168.0.1 ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1 ;; global options: printcmd ;; connection timed out; no servers could be reached and using an external dns server: beverly:/home/dbarnes # dig www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64485 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.blueyonder.co.uk. IN A ;; ANSWER SECTION: www.blueyonder.co.uk. 4525 IN A 62.30.31.86 ;; AUTHORITY SECTION: blueyonder.co.uk. 22657 IN NS ns.blueyonder.co.uk. blueyonder.co.uk. 22657 IN NS ns2.blueyonder.co.uk. blueyonder.co.uk. 22657 IN NS ns3.cableinet.net. ;; ADDITIONAL SECTION: ns.blueyonder.co.uk. 22657 IN A 195.188.53.114 ns2.blueyonder.co.uk. 22657 IN A 195.188.53.113 ns3.cableinet.net. 122 IN A 194.117.152.85 ;; Query time: 2 msec ;; SERVER: 192.168.0.3#53(192.168.0.3) ;; WHEN: Sun Feb 8 18:59:53 2004 ;; MSG SIZE rcvd: 168 So, no change really - dns from the firewall still doesn't work, but dns from _behind_ the firewall does. Totally bewildered by this! ----------------------------------------------------------------------------------------------------------------- On Sunday 08 February 2004 17:47, Togan Muftuoglu wrote:

* David Barnes MSc; on 08 Feb, 2004 wrote:

...

FW_SERVICES_INT_TCP="domain www 3128" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data DNS"

DNS in TCP is used only in zone tranfers should it becomes necessary normally you would not put DNS here

...

FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"

I would add DNS here. domain means port 53 only when you have DNS then SuSEfirewall2 checks the entries in your /etc/resolv.conf and add the nameservers as permitted sources

--

Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC.

Nisi defectum, haud refiecendum

On Sunday 08 February 2004 20:11, Togan Muftuoglu wrote:

* David Barnes MSc; on 08 Feb, 2004 wrote:

...

Made the changes below and also tried restarting rcnamed after the firewall, as suggested by Togan and Anders. So, no change really - dns from the firewall still doesn't work, but dns from _behind_ the firewall does. Totally bewildered by this!

what is your /etc/resolv.conf for the boxes behind the firewall

The resolv.conf for beverly is search barnes nameserver 192.168.0.3 nameserver 194.117.152.85 where 192.168.0.3 = beverly = intranet nameserver, and the resolve.conf for the firewall = 192.168.0.1 = kimberly is search barnes #nameserver 192.168.0.3 nameserver 127.0.0.1 nameserver 194.117.152.85 NB: removing the commented line makes no difference.

--

Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC.

Nisi defectum, haud refiecendum

On Sunday 08 February 2004 21:01, Anders Johansson wrote:

On Sunday 08 February 2004 21.58, David Barnes wrote:

...

nameserver 127.0.0.1 nameserver 194.117.152.85

two nameservers? You're worried it might not be able to contact localhost? :) I can contact the local host - it just doesn't do any good. With only localhost I get:

kimberly:/etc # dig www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk ;; global options: printcmd ;; connection timed out; no servers could be reached With both lines I get: kimberly:/etc # dig www.blueyonder.co.uk ; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48593 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.blueyonder.co.uk. IN A ;; ANSWER SECTION: www.blueyonder.co.uk. 14400 IN A 62.30.31.86 ;; AUTHORITY SECTION: blueyonder.co.uk. 28800 IN NS ns.blueyonder.co.uk. blueyonder.co.uk. 28800 IN NS ns2.blueyonder.co.uk. blueyonder.co.uk. 28800 IN NS ns3.cableinet.net. ;; ADDITIONAL SECTION: ns.blueyonder.co.uk. 28800 IN A 195.188.53.114 ns2.blueyonder.co.uk. 28800 IN A 195.188.53.113 ns3.cableinet.net. 28800 IN A 194.117.152.85 ;; Query time: 17 msec ;; SERVER: 194.117.152.85#53(194.117.152.85) ;; WHEN: Sun Feb 8 22:55:29 2004 ;; MSG SIZE rcvd: 168

What forwarders are you using in your bind config?

forwarders { 194.117.152.85; };

Do you get any "DROP" lines in /var/log/messages when you dig @localhost ?

SuSE-FW-ILLEGAL-TARGET IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=202.12.27.33 DST=82.33.145.89 LEN=308 TOS=0x00 PREC=0x00 TTL=53 ID=17066 PROTO=UDP SPT=53 DPT=53 LEN=288 The firewall is definitely blocking the packets, because the dns works from the firewall if I run the firewall in test mode. (Unless I'm wrong, of course!)

I now have a definitive situation. When trying to resolve host names: 1.) From a server running BIND9 behind the firewall server - both local and internet queries work correctly 2.) From the firewall server running BIND9 - the local query works correctly but the internet query fails as follows. 2.1.) Running firewall in TEST mode I get dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - success with status NOERROR 2.2.) Running firewall in normal mode I get dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - failure with status REFUSED and the following DROP lines in /var/log/messages Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85 DST=82.33.145.89 LEN=207 TOS=0x10 PREC=0x00 TTL=250 ID=46136 DF PROTO=UDP SPT=53 DPT=53 LEN=187 Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT= MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85 DST=82.33.145.89 LEN=475 TOS=0x10 PREC=0x00 TTL=250 ID=46137 DF PROTO=UDP SPT=53 DPT=53 LEN=455 3.) Running the firewall in normal mode and setting FW_SERVICES_EXT_TCP="domain" dig @localhost local.host.name - success with status NOERROR dig @localhost internet.host.name - success with status NOERROR BUT port 53 on the firewall is open! My problem is this - how can I get the firewall to alow DNS queries from the firewall machine to the internet without opening port 53? I have had this configuation working before in version 7.0, 8,1 and 8.2 - but I just can't get it to work this way in 9.0 for some reason.