Shorewall users - Apr 2004 - shorewall 1.41 + eciadsl + debian woody

¨Hello

I have set up shorewall 1.41 + eciadsl + debian woody 3.0r1
I have installed the 2-nic "template" and configured it.
Everything seems to be ok, except the adress resolving
that means I can make a connection over an IP address but not
with domain names. FTP is working too (over IPs). 

Does someone have an idea what could be wrong?
Thanks for any help.

Michael

MICHAEL FREIERMUTH wrote:
> ¨Hello
> 
> I have set up shorewall 1.41 + eciadsl + debian woody 3.0r1
> I have installed the 2-nic "template" and configured it.
> Everything seems to be ok, except the adress resolving
> that means I can make a connection over an IP address but not
> with domain names. FTP is working too (over IPs). 
> 
> Does someone have an idea what could be wrong?
Yes.

-Tom

PS -- I''m giving you as much information in return as you have given us
in your report. Please see http://shorewall.net/support.htm.

a) Do you see this behavior from the firewall, from systems behind the 
firewall or both?

b) From the firewall can you ping the name servers configured for the 
firewall in /etc/resolv.conf?

c) From systems behind the firewall, can you ping the name server(s) 
configured for that/those system(s).

d) If you are running a name server on the firewall system, have you 
enabled DNS from the ''loc'' zone to the ''fw''
zone as described in the
two-interface QuickStart Guide?

e) Have you made any other changes to the two-interface sample other 
than those recommended in the two-interface QuickStart guide?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> MICHAEL FREIERMUTH wrote:
> 
>> ¨Hello
>>
>> I have set up shorewall 1.41 + eciadsl + debian woody 3.0r1
And there is no such thing as Shorewall 1.41; to see which version of 
Shorewall you are really running, use the "shorewall version" command.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom
Thank you for your reply. By the way, there is also a DHCP Server which
gives the client IP to the client.
Here its configuration:

#/etc/dhcpd.conf
default-lease-time 3600;
max-lease-time 86400;
subnet 192.168.1.0 netmask 255.255.255.0 {
option domain-name "router";
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
range 192.168.1.100 192.168.1.200;
}

Here more details about the rest:

router:~# shorewall version
1.4.10c

After I start up the ADSL the following infos appear:

running pppd 2.4.1
local  IP address 81.63.55.109
remote IP address 81.63.48.1
primary   DNS address 195.186.1.108
secondary DNS address 195.186.4.109
PPP connection is OK
Default route over ppp0 is OK
Everything is OK

a) The behavior of not being able to use domain names is from the laptop
machine behind the firewall in the local net.

ifconfig on the Windows XP Pro. Notebook Machine (wbox)
Ethernetadapter LAN-Verbindung_Home:
        Verbindungsspezifisches DNS-Suffix: router
        IP-Adresse. . . . . . . . . . . . : 192.168.1.100
        Subnetzmaske. . . . . . . . . . . : 255.255.255.0
        Standardgateway . . . . . . . . . : 192.168.1.1

ON THE FIREWALL MACHINE
-  I can ping computers in the internet with domain names without problems.
router:~# ping google.com
PING google.com (216.239.39.99): 56 data bytes
64 bytes from 216.239.39.99: icmp_seq=0 ttl=243 time=117.5 ms
64 bytes from 216.239.39.99: icmp_seq=1 ttl=243 time=118.3 ms

- I cannot ping the notebook machine with domain names
router:~# ping wbox
PING wbox (192.168.1.106): 56 data bytes
--- wbox ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

- I can ping the notebook machine with ip address
router:~# ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100): 56 data bytes
64 bytes from 192.168.1.100: icmp_seq=0 ttl=128 time=1.5 ms

ON THE NOTEBOOK MACHINE
I cannot ping the router(FW-Machine) with domain names
and
I cannot ping domain names in the internet:

But with IP Adresses it works:
C:\>ping 192.168.1.1
Ping wird ausgeführt für 192.168.1.1 mit 32 Bytes Da
Antwort von 192.168.1.1: Bytes=32 Zeit=1ms TTL=255
Antwort von 192.168.1.1: Bytes=32 Zeit<1ms TTL=255

C:\>ping 216.239.39.99
Ping wird ausgeführt für 216.239.39.99 mit 32 Bytes Daten:
Antwort von 216.239.39.99: Bytes=32 Zeit=123ms TTL=241
Antwort von 216.239.39.99: Bytes=32 Zeit=127ms TTL=241

b) From the firewall can you ping the name servers configured for the
firewall in /etc/resolv.conf?

YES

router:~# more /etc/resolv.conf
nameserver 195.186.4.108
nameserver 195.186.1.109

router:~# ping 195.186.4.108
PING 195.186.4.108 (195.186.4.108): 56 data bytes
64 bytes from 195.186.4.108: icmp_seq=0 ttl=253 time=27.7 ms
64 bytes from 195.186.4.108: icmp_seq=1 ttl=253 time=30.2 ms

router:~# ping 195.186.4.109
PING 195.186.4.109 (195.186.4.109): 56 data bytes
64 bytes from 195.186.4.109: icmp_seq=0 ttl=253 time=27.1 ms

c) From systems behind the firewall, can you ping the name server(s)
configured for that/those system(s).

I have no name server as I know...

d) If you are running a name server on the firewall system, have you
enabled DNS from the ''loc'' zone to the ''fw''
zone as described in the
two-interface QuickStart Guide?

AHA - now it''s working - if I enter the nameserver from the resolv.conf
to
the network config of my windows box.

It seems that I need an Caching Name Server on the firewall, to make an
"configuration-less" client connection.
> e) Have you made any other changes to the two-interface sample other
> than those recommended in the two-interface QuickStart guide?
I took the default rule file and copied it again over the existing config.

Thanks a lot for your help.

Greetings
Michael

MICHAEL FREIERMUTH wrote:
> Hi Tom
> Thank you for your reply. By the way, there is also a DHCP Server which
> gives the client IP to the client.
> Here its configuration:
> 
> #/etc/dhcpd.conf
> default-lease-time 3600;
> max-lease-time 86400;
> subnet 192.168.1.0 netmask 255.255.255.0 {
> option domain-name "router";
> option routers 192.168.1.1;
> option subnet-mask 255.255.255.0;
> range 192.168.1.100 192.168.1.200;
> }
> 
> Here more details about the rest:
> 
> router:~# shorewall version
> 1.4.10c
> 
> After I start up the ADSL the following infos appear:
> 
> running pppd 2.4.1
> local  IP address 81.63.55.109
> remote IP address 81.63.48.1
> primary   DNS address 195.186.1.108
> secondary DNS address 195.186.4.109
> PPP connection is OK
> Default route over ppp0 is OK
> Everything is OK
> 
In your dhcpd.conf file, you need to add:

option domain-name-servers 195.186.1.108 195.186.4.109;

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> In your dhcpd.conf file, you need to add:
> 
> option domain-name-servers 195.186.1.108 195.186.4.109;
> 
Or as you suggest, you could run a caching name server on the Shorewall box.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net