Mailinglist Archive: opensuse (3863 mails)
| < Previous | Next > |
Re: [SLE] SLP9 - DNS on FW with MASQ
- From: David Barnes <kcuk.linux@xxxxxxxxxxxxxxxx>
- Date: Tue, 10 Feb 2004 16:59:10 +0000
- Message-id: <200402101659.10424.kcuk.linux@xxxxxxxxxxxxxxxx>
I now have a definitive situation. When trying to resolve host names:
1.) From a server running BIND9 behind the firewall server - both local and
internet queries work correctly
2.) From the firewall server running BIND9 - the local query works correctly
but the internet query fails as follows.
2.1.) Running firewall in TEST mode I get
dig @localhost local.host.name - success with status NOERROR
dig @localhost internet.host.name - success with status NOERROR
2.2.) Running firewall in normal mode I get
dig @localhost local.host.name - success with status NOERROR
dig @localhost internet.host.name - failure with status REFUSED
and the following DROP lines in /var/log/messages
Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT=
MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85
DST=82.33.145.89 LEN=207 TOS=0x10 PREC=0x00 TTL=250 ID=46136 DF PROTO=UDP
SPT=53 DPT=53 LEN=187
Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT=
MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85
DST=82.33.145.89 LEN=475 TOS=0x10 PREC=0x00 TTL=250 ID=46137 DF PROTO=UDP
SPT=53 DPT=53 LEN=455
3.) Running the firewall in normal mode and setting
FW_SERVICES_EXT_TCP="domain"
dig @localhost local.host.name - success with status NOERROR
dig @localhost internet.host.name - success with status NOERROR
BUT port 53 on the firewall is open!
My problem is this - how can I get the firewall to alow DNS queries from the
firewall machine to the internet without opening port 53?
I have had this configuation working before in version 7.0, 8,1 and 8.2 - but
I just can't get it to work this way in 9.0 for some reason.
1.) From a server running BIND9 behind the firewall server - both local and
internet queries work correctly
2.) From the firewall server running BIND9 - the local query works correctly
but the internet query fails as follows.
2.1.) Running firewall in TEST mode I get
dig @localhost local.host.name - success with status NOERROR
dig @localhost internet.host.name - success with status NOERROR
2.2.) Running firewall in normal mode I get
dig @localhost local.host.name - success with status NOERROR
dig @localhost internet.host.name - failure with status REFUSED
and the following DROP lines in /var/log/messages
Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT=
MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85
DST=82.33.145.89 LEN=207 TOS=0x10 PREC=0x00 TTL=250 ID=46136 DF PROTO=UDP
SPT=53 DPT=53 LEN=187
Feb 10 16:31:55 kimberly kernel: SuSE-FW-DROP IN=eth1 OUT=
MAC=00:10:b5:10:31:9d:00:0a:42:6d:5c:70:08:00 SRC=194.117.152.85
DST=82.33.145.89 LEN=475 TOS=0x10 PREC=0x00 TTL=250 ID=46137 DF PROTO=UDP
SPT=53 DPT=53 LEN=455
3.) Running the firewall in normal mode and setting
FW_SERVICES_EXT_TCP="domain"
dig @localhost local.host.name - success with status NOERROR
dig @localhost internet.host.name - success with status NOERROR
BUT port 53 on the firewall is open!
My problem is this - how can I get the firewall to alow DNS queries from the
firewall machine to the internet without opening port 53?
I have had this configuation working before in version 7.0, 8,1 and 8.2 - but
I just can't get it to work this way in 9.0 for some reason.
| < Previous | Next > |