Mailinglist Archive: opensuse (3863 mails)
| < Previous | Next > |
Re: [SLE] SLP9 - DNS on FW with MASQ
- From: David Barnes MSc <kcuk.linux@xxxxxxxxxxxxxxxx>
- Date: Sun, 8 Feb 2004 19:41:34 +0000
- Message-id: <200402081941.34294.kcuk.linux@xxxxxxxxxxxxxxxx>
Made the changes below and also tried restarting rcnamed after the firewall,
as suggested by Togan and Anders.
Got the following result on the firewall:
kimberly:/etc # dig www.blueyonder.co.uk @127.0.0.1
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @127.0.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached
kimberly:/etc # dig www.blueyonder.co.uk @192.168.0.1
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached
Also tried to the firewall from another linux box:
beverly:/home/dbarnes # dig www.blueyonder.co.uk @192.168.0.1
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached
and using an external dns server:
beverly:/home/dbarnes # dig www.blueyonder.co.uk
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64485
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;www.blueyonder.co.uk. IN A
;; ANSWER SECTION:
www.blueyonder.co.uk. 4525 IN A 62.30.31.86
;; AUTHORITY SECTION:
blueyonder.co.uk. 22657 IN NS ns.blueyonder.co.uk.
blueyonder.co.uk. 22657 IN NS ns2.blueyonder.co.uk.
blueyonder.co.uk. 22657 IN NS ns3.cableinet.net.
;; ADDITIONAL SECTION:
ns.blueyonder.co.uk. 22657 IN A 195.188.53.114
ns2.blueyonder.co.uk. 22657 IN A 195.188.53.113
ns3.cableinet.net. 122 IN A 194.117.152.85
;; Query time: 2 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Sun Feb 8 18:59:53 2004
;; MSG SIZE rcvd: 168
So, no change really - dns from the firewall still doesn't work, but dns from
_behind_ the firewall does. Totally bewildered by this!
-----------------------------------------------------------------------------------------------------------------
On Sunday 08 February 2004 17:47, Togan Muftuoglu wrote:
> * David Barnes MSc; <kcuk.linux@xxxxxxxxxxxxxxxx> on 08 Feb, 2004 wrote:
> >FW_SERVICES_INT_TCP="domain www 3128"
> >FW_SERVICES_INT_UDP="domain"
> >FW_SERVICES_INT_IP=""
> >FW_SERVICES_QUICK_TCP=""
> >FW_SERVICES_QUICK_UDP=""
> >FW_SERVICES_QUICK_IP=""
> >FW_TRUSTED_NETS=""
> >FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data DNS"
>
> DNS in TCP is used only in zone tranfers should it becomes necessary
> normally you would not put DNS here
>
> >FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
>
> I would add DNS here. domain means port 53 only when you have DNS then
> SuSEfirewall2 checks the entries in your /etc/resolv.conf and add the
> nameservers as permitted sources
>
>
>
> --
>
> Togan Muftuoglu |
> Unofficial SuSE FAQ Maintainer | Please reply to the list;
> http://susefaq.sf.net | Please don't put me in TO/CC.
>
> Nisi defectum, haud refiecendum
as suggested by Togan and Anders.
Got the following result on the firewall:
kimberly:/etc # dig www.blueyonder.co.uk @127.0.0.1
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @127.0.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached
kimberly:/etc # dig www.blueyonder.co.uk @192.168.0.1
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached
Also tried to the firewall from another linux box:
beverly:/home/dbarnes # dig www.blueyonder.co.uk @192.168.0.1
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk @192.168.0.1
;; global options: printcmd
;; connection timed out; no servers could be reached
and using an external dns server:
beverly:/home/dbarnes # dig www.blueyonder.co.uk
; <<>> DiG 9.2.2 <<>> www.blueyonder.co.uk
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64485
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;www.blueyonder.co.uk. IN A
;; ANSWER SECTION:
www.blueyonder.co.uk. 4525 IN A 62.30.31.86
;; AUTHORITY SECTION:
blueyonder.co.uk. 22657 IN NS ns.blueyonder.co.uk.
blueyonder.co.uk. 22657 IN NS ns2.blueyonder.co.uk.
blueyonder.co.uk. 22657 IN NS ns3.cableinet.net.
;; ADDITIONAL SECTION:
ns.blueyonder.co.uk. 22657 IN A 195.188.53.114
ns2.blueyonder.co.uk. 22657 IN A 195.188.53.113
ns3.cableinet.net. 122 IN A 194.117.152.85
;; Query time: 2 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Sun Feb 8 18:59:53 2004
;; MSG SIZE rcvd: 168
So, no change really - dns from the firewall still doesn't work, but dns from
_behind_ the firewall does. Totally bewildered by this!
-----------------------------------------------------------------------------------------------------------------
On Sunday 08 February 2004 17:47, Togan Muftuoglu wrote:
> * David Barnes MSc; <kcuk.linux@xxxxxxxxxxxxxxxx> on 08 Feb, 2004 wrote:
> >FW_SERVICES_INT_TCP="domain www 3128"
> >FW_SERVICES_INT_UDP="domain"
> >FW_SERVICES_INT_IP=""
> >FW_SERVICES_QUICK_TCP=""
> >FW_SERVICES_QUICK_UDP=""
> >FW_SERVICES_QUICK_IP=""
> >FW_TRUSTED_NETS=""
> >FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data DNS"
>
> DNS in TCP is used only in zone tranfers should it becomes necessary
> normally you would not put DNS here
>
> >FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
>
> I would add DNS here. domain means port 53 only when you have DNS then
> SuSEfirewall2 checks the entries in your /etc/resolv.conf and add the
> nameservers as permitted sources
>
>
>
> --
>
> Togan Muftuoglu |
> Unofficial SuSE FAQ Maintainer | Please reply to the list;
> http://susefaq.sf.net | Please don't put me in TO/CC.
>
> Nisi defectum, haud refiecendum
| < Previous | Next > |