Thankyou very much Paul for your help this morning. I have fixed my problem with dmz access (I think). The default gateway on the machine in the dmz was set incorrectly. Now all I have to do is to sort out my DNS so that my registered domain will correctly be found on the web server in the dmz. Does anyone know of any DNS mailing lists where help can be obtained. I set up a DNS for an ISP about 15 years ago but have forgotton most of the tricks. Regards, John John Lodge> John Lodge > Software Engineer > Redwood Technologies Limited > T +[44] (0)1344 304 344 > F +[44] (0)1344 304 345 > M +[44] (0)794 122 1422 > E jml@redwoodtech.com > W www.redwoodtech.com >Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the limitations of Redwood Technologies Limited''s standard terms and conditions of contract.
> -----Original Message----- > From: John Lodge [mailto:JML@redwoodtech.com] > Sent: Monday, March 04, 2002 9:52 AM > To: ''shorewall-users@shorewall.net'' > Subject: [Shorewall-users] Thanks. > > > Thankyou very much Paul for your help this morning. > > I have fixed my problem with dmz access (I think). The > default gateway on the machine in the dmz was set incorrectly. > > Now all I have to do is to sort out my DNS so that my > registered domain will correctly be found on the web server in > the dmz. > > Does anyone know of any DNS mailing lists where help can be > obtained. I set up a DNS for an ISP about 15 years ago > but have forgotton most of the tricks.Your post is a little confusing. I can''t tell if your running a registered DNS server on the system located in your DMZ -or- are you needing to setup the appropriate shorewall rules to forward web requests from external sources to your web server in your DMZ. If you are running a registered DNS server, consider using Bind 9. It has a new feature called "views" which basically looks at the source address of a DNS query and returns either a public ip or private ip address for a given name (view). ie. from my named.conf view "internal" { match-clients { 192.168.9.0/24; 192.168.8.0/24; 127.0.0/24; }; zone "infohiiway.com" in { type master; notify yes; allow-update { none; }; allow-transfer { 192.168.9.2; 192.168.9.3; }; file "int/db.infohiiway"; }; etc... view "external" { match-clients { any; }; zone "infohiiway.com" in { type master; notify yes; allow-update { none; }; allow-transfer { xx.xx.xx.xx; xx.xx.xx.xx; }; file "ext/db.infohiiway"; }; etc... The beauty of this approach is your actually loading two zones called infohiiway.com, but the zone file ext/db.infohiiway contains the external (public) ip addresses while the zone file int/db.infohiiway contains the internal ip addresses. A query from my local LAN or DMZ LAN returns a 192.168.x address for www.infohiiway.com while a query from any other source returns the public ip address of my firewall for www.infohiiway.com. This approach also has an added benefit of not tying up needless iptables resources by having to masq loc->dmz requests because local clients are no longer referencing the external ip address of your firewall -- from behind your firewall. Just my 2 cents... Steve Cowles
John, If you have a spare system lying around I would use Engarde''s Secure Linux for a DNS Server. It''s real easy to setup and use. You can download it from http://www.linuxiso.org/engarde.html Mike -----Original Message----- From: John Lodge [mailto:JML@redwoodtech.com] Sent: Monday, March 04, 2002 9:52 AM To: ''shorewall-users@shorewall.net'' Subject: [Shorewall-users] Thanks. Thankyou very much Paul for your help this morning. I have fixed my problem with dmz access (I think). The default gateway on the machine in the dmz was set incorrectly. Now all I have to do is to sort out my DNS so that my registered domain will correctly be found on the web server in the dmz. Does anyone know of any DNS mailing lists where help can be obtained. I set up a DNS for an ISP about 15 years ago but have forgotton most of the tricks. Regards, John John Lodge> John Lodge > Software Engineer > Redwood Technologies Limited > T +[44] (0)1344 304 344 > F +[44] (0)1344 304 345 > M +[44] (0)794 122 1422 > E jml@redwoodtech.com > W www.redwoodtech.com >Email Disclaimer The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the limitations of Redwood Technologies Limited''s standard terms and conditions of contract. _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Or, if you really want to cheat, use www.zoneedit.com. Their web interface is braindead easy, and the service is free for up to 5 distinct domains. I have been using it for about a year, and their service has always been lightning fast on updates and overall responsiveness of the user interface tools. Getting your primary nameservers moved to zoneedit will take as long as it takes for your former hosting outfit to respond to your request --- the zonneedit system itself is fast and automated. Two thumbs up! Dan ----- Original Message ----- From: "John Lodge" <JML@redwoodtech.com> To: <shorewall-users@shorewall.net> Sent: Monday, March 04, 2002 9:51 AM Subject: [Shorewall-users] Thanks.> Thankyou very much Paul for your help this morning. > > I have fixed my problem with dmz access (I think). The default gateway on > the machine in the dmz was set incorrectly. > > Now all I have to do is to sort out my DNS so that my registered domainwill> correctly be found on the web server in the dmz. > > Does anyone know of any DNS mailing lists where help can be obtained. Iset> up a DNS for an ISP about 15 years ago > but have forgotton most of the tricks. > > Regards, > > John > > John Lodge > > > John Lodge > > Software Engineer > > Redwood Technologies Limited > > T +[44] (0)1344 304 344 > > F +[44] (0)1344 304 345 > > M +[44] (0)794 122 1422 > > E jml@redwoodtech.com > > W www.redwoodtech.com > > > Email Disclaimer > > The information in this email is confidential and may be legallyprivileged.> It is intended solely for the addressee. Access to this email by anyoneelse> is unauthorised. If you are not the intended recipient, any disclosure, > copying, distribution or any action taken or omitted to be taken inreliance> on it is prohibited and may be unlawful. When addressed to our clients any > opinions or advice contained in this email are subject to the limitationsof> Redwood Technologies Limited''s standard terms and conditions of contract. > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
On Mon, 2002-03-04 at 17:44, dgilleece wrote:> Or, if you really want to cheat, use www.zoneedit.com. Their web interface > is braindead easy, and the service is free for up to 5 distinct domains. I > have been using it for about a year, and their service has always been > lightning fast on updates and overall responsiveness of the user interface > tools. Getting your primary nameservers moved to zoneedit will take as long > as it takes for your former hosting outfit to respond to your request --- > the zonneedit system itself is fast and automated. > > Two thumbs up!I concur, ZoneEdit is good. (I''m only using them to secondary my domain.) I preemptively took control of my domain from my ISP as I was listed in the NSI registry as the administrative contact. The hard part is figuring out NSI''s baroque mail-based authorization system. You fill out a web form, the contents are emailed to you, you add your password and mail it back. Once you get the hang of it, you can change your registry records in a couple of hours (the time it takes for their automated system to process the emails).