Shorewall users - Feb 2004 - Local name resolution fail past fw. References matching thread - Not Subscribed

_http://lists.shorewall.net/pipermail/shorewall-users/2002-October/002986.html_

I am having this exact issue.  Can ping and connect to any IP, but not a
name.  My config is a two-interface with default settings except for I
allow connections to fw to net, and to fw from loc.

I have attached a ./shoreall status in plain text.  There was no
resolution posted in the mail lists. 

I have also tried with the default policy, same issue.

My shorewall.conf has the CLAMPMSS=Yes

Running redhat 9 with its built in firewall disabled, and the iptables
flushed after the disable. So I am using iptables v1.2.7a

I also have the 1.4.10c shorewall version installed, with the 1.4.8
two-interface config.  All default info listed.

JohnK.

P.S.  Essentially I can run anything through the firewall as long as I
have the destination IP, but nothing will name resolve.

On Fri, 27 Feb 2004, johnhk wrote:
>
_http://lists.shorewall.net/pipermail/shorewall-users/2002-October/002986.html_
>
> I am having this exact issue.  Can ping and connect to any IP, but not a
> name.  My config is a two-interface with default settings except for I
> allow connections to fw to net, and to fw from loc.
>
> I have attached a ./shoreall status in plain text.  There was no
> resolution posted in the mail lists.
>
> I have also tried with the default policy, same issue.
>
> My shorewall.conf has the CLAMPMSS=Yes
>
> Running redhat 9 with its built in firewall disabled, and the iptables
> flushed after the disable. So I am using iptables v1.2.7a
>
> I also have the 1.4.10c shorewall version installed, with the 1.4.8
> two-interface config.  All default info listed.
>
> JohnK.
>
> P.S.  Essentially I can run anything through the firewall as long as I
> have the destination IP, but nothing will name resolve.
>
So from a system behind the firewall, you can ping that system''s
configured name server? (As shown by "cat /etc/resolv.conf" if it is a
Unix/Linux system and by "ipconfig /all" if it is a Windoze system)

How about from the firewall itself? Can you ping www.shorewall.net by
name? If not, does this ping work if you "shorewall clear" then try to
ping?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

----- Original Message ----- 
From: "johnhk"
> Can ping and connect to any IP, but not a
> name.  My config is a two-interface with default settings except for I
> allow connections to fw to net, and to fw from loc.
Hey John,
Are you using and internal DNS server or a dns daemon running on the
Firewall(RedHat) box. Are you sure that you have the correct DNS ip''s
listed
in /etc/resolv.conf on Shorewall(RedHat) box? If so, can you get name
resolution to work from atleast the Firewall(RedHat) box?

So,
1) Check to make sure your "/etc/resolv.conf" is actually getting dns
ip''s
and the correct ones.
2) On the RedHat box, from a terminal do as root: netstat -an | grep :53
    See if you have anything listening on port 53?

If your going to run a firewall you should start learning how to use both
Ethereal and Tcpdump. Both of which can come in very handy for stupid
connectivity issues like this that will drive you batty.


HTH''s,
Joshua Banks

On Friday 27 February 2004 06:59 pm, johnhk wrote:
> _http://lists.shorewall.net/pipermail/shorewall-users/2002-October/002986.h
>tml_
>
> I am having this exact issue.  Can ping and connect to any IP, but not a
> name.  My config is a two-interface with default settings except for I
> allow connections to fw to net, and to fw from loc.
>
> I have attached a ./shoreall status in plain text.  There was no
> resolution posted in the mail lists.
>
> I have also tried with the default policy, same issue.
>
> My shorewall.conf has the CLAMPMSS=Yes
>
> Running redhat 9 with its built in firewall disabled, and the iptables
> flushed after the disable. So I am using iptables v1.2.7a
>
> I also have the 1.4.10c shorewall version installed, with the 1.4.8
> two-interface config.  All default info listed.
>
> JohnK.
>
> P.S.  Essentially I can run anything through the firewall as long as I
> have the destination IP, but nothing will name resolve.
john, without a doubt you have a DNS problem.  Nothing at all to do with 
Shorewall. If you were using SuSE I could tell you how to get this solved 
using Yast but I can''t help you with Red Hat  

Why am I telling you this apparently useless answer?  So you dont have to 
chase down anymore rabbit trails.  Make sure your resolv.conf file has your 
provider''s dns entry.  For instance, my /etc/resolv.conf has the
following:

nameserver 207.69.188.185
nameserver 207.69.188.186
nameserver 207.69.188.187
search earthlink.net

BTW, you can use any DNS servers so the above should work for you too.

Consult your Redhat folks for how to set up for DNS on your NICs.  I did a 
quick Google and found this url for a howto on redhat dns.  It''s for
7.3 but
I doubt if it would be difficult to find an updated version.

http://linux.web.cern.ch/linux/redhat73/documentation/redhatcd/RH-DOCS/rhl-cg-en-7.3/s1-network-config-dns.html

A couple of years back I spent a lot of time doing what you are and the 
solution was relatively simple.  Getting someone to tell me where to look was 
the hard part.
Hope this helps a bit.
Richard

----- Original Message ----- 
From: "Richard Atcheson"
> john, without a doubt you have a DNS problem.  Nothing at all to do with
> Shorewall.
John actually figured out what the problem was after a few emails back and
forth.

It appeared that he was using RedHat as the DHCP server for the clients on
the local lan and had this configured incorrectly. The clients on the local
lan appeared to be receiving eth1''s ip address for a dns server.

Reconfigured and everything works like a charm. Sorry. I thought that I
included the Shorewall list in my last email in regards to what the problem
was and how it was solved.

JBanks