Shorewall users - May 2002 - dnscache and dmz

--=-L6SovFSPeZB++6aYJas1
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi all and thanks for all the good information that is passed down this
list.


My network is as follows:

eth0 DSL modem 66.51.201.165
eth1 local network 192.168.1.254
eth2 DMZ 192.168.2.254

My computer connected within the DMZ has an address of 66.51.201.39. 
Shorewall performs  proxy arp to pass pass packets to this machine via
eth2 (192.168.2.254)

I would like my machine inside the DMZ to be able to use the cacheing
DNS server located on the bering/shorewall firewall, but I''m unsure
about how to set up a rule in /etc/shorewall/rules since I''m using the
arp proxy.

Something like,

ACCEPT  dmz  fw  udp  53

Is this correct?  I tried this but I couldn''t connect with the cacheing
DNS server located on the firewall.  

-- Joe




--=-L6SovFSPeZB++6aYJas1
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html;
CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/1.0.2">
</HEAD>
<BODY>
Hi all and thanks for all the good information that is passed down this list.
<BR>

<BR>

<BR>
My network is as follows:
<BR>

<BR>
eth0 DSL modem 66.51.201.165
<BR>
eth1 local network 192.168.1.254
<BR>
eth2 DMZ 192.168.2.254
<BR>

<BR>
My computer connected within the DMZ has an address of 66.51.201.39.&nbsp;
Shorewall performs&nbsp; proxy arp to pass pass packets to this machine via
eth2 (192.168.2.254)
<BR>

<BR>
I would like my machine inside the DMZ to be able to use the cacheing DNS server
located on the bering/shorewall firewall, but I''m unsure about how to
set up a rule in /etc/shorewall/rules since I''m using the arp proxy.
<BR>

<BR>
Something like,
<BR>

<BR>
ACCEPT&nbsp; dmz&nbsp; fw&nbsp; udp&nbsp; 53
<BR>

<BR>
Is this correct?&nbsp; I tried this but I couldn''t connect with the
cacheing DNS server located on the firewall.&nbsp;
<BR>

<BR>
-- Joe
<BR>

<BR>

<BR>

</BODY>
</HTML>

--=-L6SovFSPeZB++6aYJas1--

On 19 May 2002, Joe Copeland wrote:
> Something like,
> 
> ACCEPT  dmz  fw  udp  53
> 
> Is this correct?  I tried this but I couldn''t connect with the
cacheing
> DNS server located on the firewall.  
> 
That''s the correct rule. How did you try to test?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--=-Ky1KCFCvuhXyGgWXEhDV
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

My Bad.  This rule works fine.  I probably didn''t restart properly.  

Thank you,

-- Joe

On Sun, 2002-05-19 at 14:20, Tom Eastep wrote:

    On 19 May 2002, Joe Copeland wrote:
    
    > Something like,
    > 
    > ACCEPT  dmz  fw  udp  53
    > 
    > Is this correct?  I tried this but I couldn''t connect with the
cacheing
    > DNS server located on the firewall.  
    > 
    
    That''s the correct rule. How did you try to test?
    
    -Tom
    -- 
    Tom Eastep    \ Shorewall - iptables made easy
    AIM: tmeastep  \ http://www.shorewall.net
    ICQ: #60745924  \ teastep@shorewall.net
    

--=-Ky1KCFCvuhXyGgWXEhDV
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html;
CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/1.0.2">
</HEAD>
<BODY>
My Bad.&nbsp; This rule works fine.&nbsp; I probably didn''t
restart properly.&nbsp;
<BR>

<BR>
Thank you,
<BR>

<BR>
-- Joe
<BR>

<BR>
On Sun, 2002-05-19 at 14:20, Tom Eastep wrote:
    <BLOCKQUOTE>
<PRE><FONT COLOR="#737373"><FONT
SIZE="3"><I>On 19 May 2002, Joe Copeland
wrote:</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; Something
like,</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; </FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; ACCEPT  dmz  fw  udp 
53</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; </FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; Is this correct?  I tried this but I
couldn''t connect with the cacheing</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; DNS server located on the firewall. 
</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>&gt; </FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>That''s the correct rule. How did you try
to test?</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>-Tom</FONT></FONT></I>
<FONT COLOR="#737373"><FONT SIZE="3"><I>--
</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>Tom Eastep    \ Shorewall - iptables made
easy</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>AIM: tmeastep  \
http://www.shorewall.net</FONT></FONT></I>
<FONT COLOR="#737373"><FONT
SIZE="3"><I>ICQ: #60745924&nbsp; \
</FONT></FONT></I><A
HREF="mailto:teastep@shorewall.net"><FONT
SIZE="3"><I>teastep@shorewall.net</FONT></I></A>
</PRE>
    </BLOCKQUOTE>
</BODY>
</HTML>

--=-Ky1KCFCvuhXyGgWXEhDV--

--=-L7d05+wp6ri039OLmCfw
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi all,

I had thought the following rule would allow my machine inside my DMZ to
use the cacheing DNS server located on the firewall, but i was wrong:

ACCEPT  dmz  fw  udp 53

With the above rule located in my etc/shorewall/rules file, the machine
located in the DMZ (66.51.201.39) cannot use the cacheing DNS server on
the firewall/router.  I think it may have something to do with the fact
that I am using proxy arp.

I verified that this rule does not work by simply trying to resolve a
domain name from my DMZ''d machine.  My firewall log file at
/var/log/messages also reports that my machine inside my DMZ has tried
to access the cacheing DNS server on the firewall numerous times but was
rejected.  The following is a sample of the log:

May 19 22:23:23 bering kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth2
SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=0
DF PROTO=UDP SPT=1036 DPT=53 LEN=39

The dmz2fw chain from my iptables listing shows the following rule is
included in the chain:

 0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
0.0.0.0/0   
state NEW udp dpt:53 

For some reason the DNS request originating from my DMZ machine is not
being matched by this rule and the DNS request gets sent off to the
all2all chain where it is ultimately logged and rejected

Can you see where my error is?  I''m reached the limits of my packet
filtering knowledge.

-- Joe


On Sun, 2002-05-19 at 14:14, Joe Copeland wrote:

    Hi all and thanks for all the good information that is passed down
    this list. 
    
    
    My network is as follows: 
    
    eth0 DSL modem 66.51.201.165 
    eth1 local network 192.168.1.254 
    eth2 DMZ 192.168.2.254 
    
    My computer connected within the DMZ has an address of
    66.51.201.39.  Shorewall performs  proxy arp to pass pass packets to
    this machine via eth2 (192.168.2.254) 
    
    I would like my machine inside the DMZ to be able to use the
    cacheing DNS server located on the bering/shorewall firewall, but
    I''m unsure about how to set up a rule in /etc/shorewall/rules since
    I''m using the arp proxy. 
    
    Something like, 
    
    ACCEPT  dmz  fw  udp  53 
    
    Is this correct?  I tried this but I couldn''t connect with the
    cacheing DNS server located on the firewall.  
    
    -- Joe 
    
    
    
    

--=-L7d05+wp6ri039OLmCfw
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html;
CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/1.0.2">
</HEAD>
<BODY>
Hi all,
<BR>

<BR>
I had thought the following rule would allow my machine inside my DMZ to use the
cacheing DNS server located on the firewall, but i was wrong:
<BR>

<BR>
ACCEPT&nbsp; dmz&nbsp; fw&nbsp; udp 53
<BR>

<BR>
With the above rule located in my etc/shorewall/rules file, the machine located
in the DMZ (66.51.201.39) cannot use the cacheing DNS server on the
firewall/router.&nbsp; I think it may have something to do with the fact
that I am using proxy arp.
<BR>

<BR>
I verified that this rule does not work by simply trying to resolve a domain
name from my DMZ''d machine.&nbsp; My firewall log file at
/var/log/messages also reports that my machine inside my DMZ has tried to access
the cacheing DNS server on the firewall numerous times but was
rejected.&nbsp; The following is a sample of the log:
<BR>

<BR>
May 19 22:23:23 bering kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth2
SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=UDP SPT=1036 DPT=53 LEN=39
<BR>

<BR>
The dmz2fw chain from my iptables listing shows the following rule is included
in the chain:
<BR>

<BR>
 0&nbsp;&nbsp;&nbsp;&nbsp; 0
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp; udp&nbsp; --&nbsp;
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0.0.0.0/0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
0.0.0.0/0&nbsp;&nbsp;
<BR>
state NEW udp dpt:53 
<BR>

<BR>
For some reason the DNS request originating from my DMZ machine is not being
matched by this rule and the DNS request gets sent off to the all2all chain
where it is ultimately logged and rejected
<BR>

<BR>
Can you see where my error is?&nbsp; I''m reached the limits of my
packet filtering knowledge.
<BR>

<BR>
-- Joe
<BR>

<BR>

<BR>
On Sun, 2002-05-19 at 14:14, Joe Copeland wrote:
    <BLOCKQUOTE>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>Hi all and thanks for all the good information
that is passed down this list. </FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>My network is as follows:
</FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>eth0 DSL modem 66.51.201.165
</FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>eth1 local network 192.168.1.254
</FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>eth2 DMZ 192.168.2.254
</FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>My computer connected within the DMZ has an
address of 66.51.201.39.&nbsp; Shorewall performs&nbsp; proxy arp to
pass pass packets to this machine via eth2 (192.168.2.254)
</FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>I would like my machine inside the DMZ to be able
to use the cacheing DNS server located on the bering/shorewall firewall, but
I''m unsure about how to set up a rule in /etc/shorewall/rules since
I''m using the arp proxy. </FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>Something like,
</FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>ACCEPT&nbsp; dmz&nbsp; fw&nbsp;
udp&nbsp; 53 </FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>Is this correct?&nbsp; I tried this but I
couldn''t connect with the cacheing DNS server located on the
firewall.&nbsp; </FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I>-- Joe </FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    <FONT COLOR="#737373"><FONT
SIZE="3"><I></FONT></FONT></I>
    <BR>
    
    <BR>
    
    </BLOCKQUOTE>
</BODY>
</HTML>

--=-L7d05+wp6ri039OLmCfw--

Hi Again,

Well I found my problem, but now I have another question.  First my
problem was that the IP address of eth2 was set to 192.168.2.1 not
192.168.2.254.  OK that''s solved.  I no longer have any errors in my
logs. But....

I still do not have any DNS service from inside of my DMZ when trying to
utilize the cacheing DNS server on the firewall.  I have a feeling that
the DNS server is not listening on eth2, the dmz interface.  Is the
caceheing DNS server only listening on eth1, the local interface?

Bering leaf does not have the netstat utility so I don''t know what
ports
and interfaces the DNS server is listening to?

Any ideas?

-- Joe


On Sun, 2002-05-19 at 22:44, Joe Copeland wrote:
> Hi all,
> 
> I had thought the following rule would allow my machine inside my DMZ to
> use the cacheing DNS server located on the firewall, but i was wrong:
> 
> ACCEPT  dmz  fw  udp 53
> 
> With the above rule located in my etc/shorewall/rules file, the machine
> located in the DMZ (66.51.201.39) cannot use the cacheing DNS server on
> the firewall/router.  I think it may have something to do with the fact
> that I am using proxy arp.
> 
> I verified that this rule does not work by simply trying to resolve a
> domain name from my DMZ''d machine.  My firewall log file at
> /var/log/messages also reports that my machine inside my DMZ has tried
> to access the cacheing DNS server on the firewall numerous times but was
> rejected.  The following is a sample of the log:
> 
> May 19 22:23:23 bering kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth2
> SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=0
> DF PROTO=UDP SPT=1036 DPT=53 LEN=39
> 
> The dmz2fw chain from my iptables listing shows the following rule is
> included in the chain:
> 
>  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
> 0.0.0.0/0   
> state NEW udp dpt:53 
> 
> For some reason the DNS request originating from my DMZ machine is not
> being matched by this rule and the DNS request gets sent off to the
> all2all chain where it is ultimately logged and rejected
> 
> Can you see where my error is?  I''m reached the limits of my
packet
> filtering knowledge.
> 
> -- Joe
> 
> 
> On Sun, 2002-05-19 at 14:14, Joe Copeland wrote:
> 
>     Hi all and thanks for all the good information that is passed down
>     this list. 
>     
>     
>     My network is as follows: 
>     
>     eth0 DSL modem 66.51.201.165 
>     eth1 local network 192.168.1.254 
>     eth2 DMZ 192.168.2.254 
>     
>     My computer connected within the DMZ has an address of
>     66.51.201.39.  Shorewall performs  proxy arp to pass pass packets to
>     this machine via eth2 (192.168.2.254) 
>     
>     I would like my machine inside the DMZ to be able to use the
>     cacheing DNS server located on the bering/shorewall firewall, but
>     I''m unsure about how to set up a rule in /etc/shorewall/rules
since
>     I''m using the arp proxy. 
>     
>     Something like, 
>     
>     ACCEPT  dmz  fw  udp  53 
>     
>     Is this correct?  I tried this but I couldn''t connect with the
>     cacheing DNS server located on the firewall.  
>     
>     -- Joe 
>     
>     
>     
>

Wild guess here, but is the DNS process listening on UDP or TCP?  And on
port 53 or another more modern port (which escapes me at the moment, but
should be in the man pages.)

To verify, you might open an all traffic patch to the DNS machine to
make sure everything else works.  If DNS succeeds then, you can probably
assume that it is listening on a different port or on TCP rather than
UDP.

Again, just a wild guess for something to try while someone with more
specific knowledge formulates their response.

JS

On Mon, 2002-05-20 at 00:15, Joe Copeland wrote:
> Hi Again,
> 
> Well I found my problem, but now I have another question.  First my
> problem was that the IP address of eth2 was set to 192.168.2.1 not
> 192.168.2.254.  OK that''s solved.  I no longer have any errors in
my
> logs. But....
> 
> I still do not have any DNS service from inside of my DMZ when trying to
> utilize the cacheing DNS server on the firewall.  I have a feeling that
> the DNS server is not listening on eth2, the dmz interface.  Is the
> caceheing DNS server only listening on eth1, the local interface?
> 
> Bering leaf does not have the netstat utility so I don''t know what
ports
> and interfaces the DNS server is listening to?
> 
> Any ideas?
> 
> -- Joe
> 
> 
> On Sun, 2002-05-19 at 22:44, Joe Copeland wrote:
> > Hi all,
> > 
> > I had thought the following rule would allow my machine inside my DMZ
to
> > use the cacheing DNS server located on the firewall, but i was wrong:
> > 
> > ACCEPT  dmz  fw  udp 53
> > 
> > With the above rule located in my etc/shorewall/rules file, the
machine
> > located in the DMZ (66.51.201.39) cannot use the cacheing DNS server
on
> > the firewall/router.  I think it may have something to do with the
fact
> > that I am using proxy arp.
> > 
> > I verified that this rule does not work by simply trying to resolve a
> > domain name from my DMZ''d machine.  My firewall log file at
> > /var/log/messages also reports that my machine inside my DMZ has tried
> > to access the cacheing DNS server on the firewall numerous times but
was
> > rejected.  The following is a sample of the log:
> > 
> > May 19 22:23:23 bering kernel: Shorewall:all2all:REJECT:IN=eth2
OUT=eth2
> > SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00 TTL=63
ID=0
> > DF PROTO=UDP SPT=1036 DPT=53 LEN=39
> > 
> > The dmz2fw chain from my iptables listing shows the following rule is
> > included in the chain:
> > 
> >  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
> > 0.0.0.0/0   
> > state NEW udp dpt:53 
> > 
> > For some reason the DNS request originating from my DMZ machine is not
> > being matched by this rule and the DNS request gets sent off to the
> > all2all chain where it is ultimately logged and rejected
> > 
> > Can you see where my error is?  I''m reached the limits of my
packet
> > filtering knowledge.
> > 
> > -- Joe
> > 
> > 
> > On Sun, 2002-05-19 at 14:14, Joe Copeland wrote:
> > 
> >     Hi all and thanks for all the good information that is passed down
> >     this list. 
> >     
> >     
> >     My network is as follows: 
> >     
> >     eth0 DSL modem 66.51.201.165 
> >     eth1 local network 192.168.1.254 
> >     eth2 DMZ 192.168.2.254 
> >     
> >     My computer connected within the DMZ has an address of
> >     66.51.201.39.  Shorewall performs  proxy arp to pass pass packets
to
> >     this machine via eth2 (192.168.2.254) 
> >     
> >     I would like my machine inside the DMZ to be able to use the
> >     cacheing DNS server located on the bering/shorewall firewall, but
> >     I''m unsure about how to set up a rule in
/etc/shorewall/rules since
> >     I''m using the arp proxy. 
> >     
> >     Something like, 
> >     
> >     ACCEPT  dmz  fw  udp  53 
> >     
> >     Is this correct?  I tried this but I couldn''t connect
with the
> >     cacheing DNS server located on the firewall.  
> >     
> >     -- Joe 
> >     
> >     
> >     
> >     
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
> 
> Tracking #: CE9E3220B7B4A549A80ED3E4F0736EC32568FA1E

Ignore my response.  Lack of sleep is making me see things.  Sorry.  I
had mail sorted wrong, and realize this isn''t the issue at all.

JS


On Mon, 2002-05-20 at 00:31, John Stroud wrote:
> Wild guess here, but is the DNS process listening on UDP or TCP?  And on
> port 53 or another more modern port (which escapes me at the moment, but
> should be in the man pages.)
> 
> To verify, you might open an all traffic patch to the DNS machine to
> make sure everything else works.  If DNS succeeds then, you can probably
> assume that it is listening on a different port or on TCP rather than
> UDP.
> 
> Again, just a wild guess for something to try while someone with more
> specific knowledge formulates their response.
> 
> JS
> 
> On Mon, 2002-05-20 at 00:15, Joe Copeland wrote:
> > Hi Again,
> > 
> > Well I found my problem, but now I have another question.  First my
> > problem was that the IP address of eth2 was set to 192.168.2.1 not
> > 192.168.2.254.  OK that''s solved.  I no longer have any
errors in my
> > logs. But....
> > 
> > I still do not have any DNS service from inside of my DMZ when trying
to
> > utilize the cacheing DNS server on the firewall.  I have a feeling
that
> > the DNS server is not listening on eth2, the dmz interface.  Is the
> > caceheing DNS server only listening on eth1, the local interface?
> > 
> > Bering leaf does not have the netstat utility so I don''t know
what ports
> > and interfaces the DNS server is listening to?
> > 
> > Any ideas?
> > 
> > -- Joe
> > 
> > 
> > On Sun, 2002-05-19 at 22:44, Joe Copeland wrote:
> > > Hi all,
> > > 
> > > I had thought the following rule would allow my machine inside my
DMZ to
> > > use the cacheing DNS server located on the firewall, but i was
wrong:
> > > 
> > > ACCEPT  dmz  fw  udp 53
> > > 
> > > With the above rule located in my etc/shorewall/rules file, the
machine
> > > located in the DMZ (66.51.201.39) cannot use the cacheing DNS
server on
> > > the firewall/router.  I think it may have something to do with
the fact
> > > that I am using proxy arp.
> > > 
> > > I verified that this rule does not work by simply trying to
resolve a
> > > domain name from my DMZ''d machine.  My firewall log file
at
> > > /var/log/messages also reports that my machine inside my DMZ has
tried
> > > to access the cacheing DNS server on the firewall numerous times
but was
> > > rejected.  The following is a sample of the log:
> > > 
> > > May 19 22:23:23 bering kernel: Shorewall:all2all:REJECT:IN=eth2
OUT=eth2
> > > SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00
TTL=63 ID=0
> > > DF PROTO=UDP SPT=1036 DPT=53 LEN=39
> > > 
> > > The dmz2fw chain from my iptables listing shows the following
rule is
> > > included in the chain:
> > > 
> > >  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0           
> > > 0.0.0.0/0   
> > > state NEW udp dpt:53 
> > > 
> > > For some reason the DNS request originating from my DMZ machine
is not
> > > being matched by this rule and the DNS request gets sent off to
the
> > > all2all chain where it is ultimately logged and rejected
> > > 
> > > Can you see where my error is?  I''m reached the limits
of my packet
> > > filtering knowledge.
> > > 
> > > -- Joe
> > > 
> > > 
> > > On Sun, 2002-05-19 at 14:14, Joe Copeland wrote:
> > > 
> > >     Hi all and thanks for all the good information that is passed
down
> > >     this list. 
> > >     
> > >     
> > >     My network is as follows: 
> > >     
> > >     eth0 DSL modem 66.51.201.165 
> > >     eth1 local network 192.168.1.254 
> > >     eth2 DMZ 192.168.2.254 
> > >     
> > >     My computer connected within the DMZ has an address of
> > >     66.51.201.39.  Shorewall performs  proxy arp to pass pass
packets to
> > >     this machine via eth2 (192.168.2.254) 
> > >     
> > >     I would like my machine inside the DMZ to be able to use the
> > >     cacheing DNS server located on the bering/shorewall firewall,
but
> > >     I''m unsure about how to set up a rule in
/etc/shorewall/rules since
> > >     I''m using the arp proxy. 
> > >     
> > >     Something like, 
> > >     
> > >     ACCEPT  dmz  fw  udp  53 
> > >     
> > >     Is this correct?  I tried this but I couldn''t
connect with the
> > >     cacheing DNS server located on the firewall.  
> > >     
> > >     -- Joe 
> > >     
> > >     
> > >     
> > >     
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
> > 
> > Tracking #: CE9E3220B7B4A549A80ED3E4F0736EC32568FA1E
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

No problem,

I believe that the DNS server is listening on udp port 53.  It is
working fine on my machine inside the loc zone.  I used nslookup and
made sure I was on server 192.168.1.254 and it was responding well.

But since I don''t have netstat I can''t tell.  Also, I
don''t have any
docs for this DNS server so I don''t know how to configure it.

-- Joe

On Mon, 2002-05-20 at 00:47, John Stroud wrote:
> Ignore my response.  Lack of sleep is making me see things.  Sorry.  I
> had mail sorted wrong, and realize this isn''t the issue at all.
> 
> JS
> 
> 
> On Mon, 2002-05-20 at 00:31, John Stroud wrote:
> > Wild guess here, but is the DNS process listening on UDP or TCP?  And
on
> > port 53 or another more modern port (which escapes me at the moment,
but
> > should be in the man pages.)
> > 
> > To verify, you might open an all traffic patch to the DNS machine to
> > make sure everything else works.  If DNS succeeds then, you can
probably
> > assume that it is listening on a different port or on TCP rather than
> > UDP.
> > 
> > Again, just a wild guess for something to try while someone with more
> > specific knowledge formulates their response.
> > 
> > JS
> > 
> > On Mon, 2002-05-20 at 00:15, Joe Copeland wrote:
> > > Hi Again,
> > > 
> > > Well I found my problem, but now I have another question.  First
my
> > > problem was that the IP address of eth2 was set to 192.168.2.1
not
> > > 192.168.2.254.  OK that''s solved.  I no longer have any
errors in my
> > > logs. But....
> > > 
> > > I still do not have any DNS service from inside of my DMZ when
trying to
> > > utilize the cacheing DNS server on the firewall.  I have a
feeling that
> > > the DNS server is not listening on eth2, the dmz interface.  Is
the
> > > caceheing DNS server only listening on eth1, the local interface?
> > > 
> > > Bering leaf does not have the netstat utility so I don''t
know what ports
> > > and interfaces the DNS server is listening to?
> > > 
> > > Any ideas?
> > > 
> > > -- Joe
> > > 
> > > 
> > > On Sun, 2002-05-19 at 22:44, Joe Copeland wrote:
> > > > Hi all,
> > > > 
> > > > I had thought the following rule would allow my machine
inside my DMZ to
> > > > use the cacheing DNS server located on the firewall, but i
was wrong:
> > > > 
> > > > ACCEPT  dmz  fw  udp 53
> > > > 
> > > > With the above rule located in my etc/shorewall/rules file,
the machine
> > > > located in the DMZ (66.51.201.39) cannot use the cacheing
DNS server on
> > > > the firewall/router.  I think it may have something to do
with the fact
> > > > that I am using proxy arp.
> > > > 
> > > > I verified that this rule does not work by simply trying to
resolve a
> > > > domain name from my DMZ''d machine.  My firewall log
file at
> > > > /var/log/messages also reports that my machine inside my DMZ
has tried
> > > > to access the cacheing DNS server on the firewall numerous
times but was
> > > > rejected.  The following is a sample of the log:
> > > > 
> > > > May 19 22:23:23 bering kernel:
Shorewall:all2all:REJECT:IN=eth2 OUT=eth2
> > > > SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00
TTL=63 ID=0
> > > > DF PROTO=UDP SPT=1036 DPT=53 LEN=39
> > > > 
> > > > The dmz2fw chain from my iptables listing shows the
following rule is
> > > > included in the chain:
> > > > 
> > > >  0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> > > > 0.0.0.0/0   
> > > > state NEW udp dpt:53 
> > > > 
> > > > For some reason the DNS request originating from my DMZ
machine is not
> > > > being matched by this rule and the DNS request gets sent off
to the
> > > > all2all chain where it is ultimately logged and rejected
> > > > 
> > > > Can you see where my error is?  I''m reached the
limits of my packet
> > > > filtering knowledge.
> > > > 
> > > > -- Joe
> > > > 
> > > > 
> > > > On Sun, 2002-05-19 at 14:14, Joe Copeland wrote:
> > > > 
> > > >     Hi all and thanks for all the good information that is
passed down
> > > >     this list. 
> > > >     
> > > >     
> > > >     My network is as follows: 
> > > >     
> > > >     eth0 DSL modem 66.51.201.165 
> > > >     eth1 local network 192.168.1.254 
> > > >     eth2 DMZ 192.168.2.254 
> > > >     
> > > >     My computer connected within the DMZ has an address of
> > > >     66.51.201.39.  Shorewall performs  proxy arp to pass
pass packets to
> > > >     this machine via eth2 (192.168.2.254) 
> > > >     
> > > >     I would like my machine inside the DMZ to be able to use
the
> > > >     cacheing DNS server located on the bering/shorewall
firewall, but
> > > >     I''m unsure about how to set up a rule in
/etc/shorewall/rules since
> > > >     I''m using the arp proxy. 
> > > >     
> > > >     Something like, 
> > > >     
> > > >     ACCEPT  dmz  fw  udp  53 
> > > >     
> > > >     Is this correct?  I tried this but I couldn''t
connect with the
> > > >     cacheing DNS server located on the firewall.  
> > > >     
> > > >     -- Joe 
> > > >     
> > > >     
> > > >     
> > > >     
> > > 
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Shorewall-users@shorewall.net
> > > http://www.shorewall.net/mailman/listinfo/shorewall-users
> > > 
> > > Tracking #: CE9E3220B7B4A549A80ED3E4F0736EC32568FA1E
> > 
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@shorewall.net
> > http://www.shorewall.net/mailman/listinfo/shorewall-users
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

On Mon May 05/20/02, 2002 at 12:15:48AM -0700, Joe Copeland
wrote:
> Hi Again,
> 
> Well I found my problem, but now I have another question.  First my
> problem was that the IP address of eth2 was set to 192.168.2.1 not
> 192.168.2.254.  OK that''s solved.  I no longer have any errors in
my
> logs. But....
> 
> I still do not have any DNS service from inside of my DMZ when trying to
> utilize the cacheing DNS server on the firewall.  I have a feeling that
> the DNS server is not listening on eth2, the dmz interface.  Is the
> caceheing DNS server only listening on eth1, the local interface?
Dnscache (http://cr.yp.to/djbdns/dnscache.html) listens on one address,
and one address only. If you need more than one address, you need more
than one dnscache, unless you get patches -- see http://www.djbdns.com/
as a start for this route. Alternatively, you could chain a cache in the
DMZ from the cache in the LAN, which sounds like it would solve your
problem. See the docs for "FORWARDONLY".
> Bering leaf does not have the netstat utility so I don''t know what
ports
> and interfaces the DNS server is listening to?
Dnscache listens on TCP 53 as well as UDP 53 -- telnet $IP 53 will do
the trick. If you get a ''connection refused'', there''s
no dnscache
listening there, precluding firewall ruleset errors, of course. ;)

-- 
Greg White

On 19 May 2002, Joe Copeland wrote:
> I verified that this rule does not work by simply trying to resolve a
> domain name from my DMZ''d machine.  My firewall log file at
> /var/log/messages also reports that my machine inside my DMZ has tried
> to access the cacheing DNS server on the firewall numerous times but was
> rejected.  The following is a sample of the log:
>
> May 19 22:23:23 bering kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth2
> SRC=66.51.201.39 DST=192.168.2.254 LEN=59 TOS=0x00 PREC=0x00 TTL=63 ID=0
> DF PROTO=UDP SPT=1036 DPT=53 LEN=39
>
Joe -- Look at this message -- the request is comming in on eth2 and going
out on eth2. Consequently this is a dmz->dmz message and had NOTHING to do
with the rule in question. Something else is going on
here.
>
> Can you see where my error is?  I''m reached the limits of my
packet
> filtering knowledge.
>
For some reason, the request is being redirected to 192.168.2.254 so
there''s another rule in play here. Without seeing your ruleset,
I''ve no
idea.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On 20 May 2002, Joe Copeland wrote:
> Hi Again,
>
> Well I found my problem, but now I have another question.  First my
> problem was that the IP address of eth2 was set to 192.168.2.1 not
> 192.168.2.254.  OK that''s solved.  I no longer have any errors in
my
> logs. But....
>
> I still do not have any DNS service from inside of my DMZ when trying to
> utilize the cacheing DNS server on the firewall.  I have a feeling that
> the DNS server is not listening on eth2, the dmz interface.  Is the
> caceheing DNS server only listening on eth1, the local interface?
>
> Bering leaf does not have the netstat utility so I don''t know what
ports
> and interfaces the DNS server is listening to?
>
> Any ideas?
>
Yes -- post on the Leaf mailing list where there may be someone who knows
something about the cacning DNS server included in Bering.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> Dnscache (http://cr.yp.to/djbdns/dnscache.html) listens on one address,
> and one address only.  
> 
Since Dnscache listens only on one address, the loc network, in this
case 192.168.1.254, is it possible to write a rule that will allow
machines inside the DMZ to utilize the Dnscache.

If a rule were written to somehow redirect requests coming into
192.168.2.254 and send it over to 192.168.1.254 then the DMZ network
should have access to the dnscache, right?

66.51.201.39:54 ------> 192.168.2.254:54 ------> 192.168.1.254:54
DMZ''d computer  ------> eth2 on firewall ------> eth1 on firewall

Dns request-----------> redirect request to ---> dnscache on eth1


Or maybe it would just be better for computers inside the DMZ to just
use an external DNS server?  Any thoughts?

-- Joe

On 20 May 2002, Joe Copeland wrote:
> 
> > Dnscache (http://cr.yp.to/djbdns/dnscache.html) listens on one
address,
> > and one address only.  
> > 
> 
> Since Dnscache listens only on one address, the loc network, in this
> case 192.168.1.254, is it possible to write a rule that will allow
> machines inside the DMZ to utilize the Dnscache.
> 
> If a rule were written to somehow redirect requests coming into
> 192.168.2.254 and send it over to 192.168.1.254 then the DMZ network
> should have access to the dnscache, right?
> 
> 66.51.201.39:54 ------> 192.168.2.254:54 ------> 192.168.1.254:54
> DMZ''d computer  ------> eth2 on firewall ------> eth1 on
firewall
> 
> Dns request-----------> redirect request to ---> dnscache on eth1
> 
Why don''t you simply configure the resolvers in the DMZ to use 
192.168.1.254? Or am I missing something?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> Why don''t you simply configure the resolvers in the DMZ to use 
> 192.168.1.254? Or am I missing something?
> 
> -Tom
I''m probably the one missing something.  I tried setting
/etc/resolv.conf to 192.168.1.254 on my DMZ''d machine but it
doesn''t
work.  

I think it doesn''t work because the firewall won''t route the
request to
that address since it''s (1)on another network and (2) a non routable ip
address.

My DMZ is connected to eth2, 192.168.2.254 and my dnscache listens on
eth 1, 192.168.1.254.

A little ASCII art may help explain my network:

Inet--Firewall -- eth1 -- loc 192.168.1.254 -- 192.168.1.1 
               \
                \ eth2 -- dmz 192.168.2.254 -- 66.51.201.39         


I''m thinking that setting resolv.conf on 66.51.201.39 to 

nameserver 192.168.1.254 

doesn''t do that machine any good since it has no route to
192.168.1.254.

Dnscache works fine from the machine 192.168.1.1 since it has a direct
route to 192.168.1.254.

-- Joe



On Mon, 2002-05-20 at 09:42, Tom Eastep wrote:
> On 20 May 2002, Joe Copeland wrote:
> 
> > 
> > > Dnscache (http://cr.yp.to/djbdns/dnscache.html) listens on one
address,
> > > and one add192.168.1.254 is on a different network than the ress
only.
> > > 
> > 
> > Since Dnscache listens only on one address, the loc network, in this
> > case 192.168.1.254, is it possible to write a rule that will allow
> > machines inside the DMZ to utilize the Dnscache.
> > 
> > If a rule were written to somehow redirect requests coming into
> > 192.168.2.254 and send it over to 192.168.1.254 then the DMZ network
> > should have access to the dnscache, right?
> > 
> > 66.51.201.39:54 ------> 192.168.2.254:54 ------>
192.168.1.254:54
> > DMZ''d computer  ------> eth2 on firewall ------> eth1
on firewall
> > 66.51.201.39:54 ------> 192.168.2.254:54 ------>
192.168.1.254:54
> > Dns request-----------> redirect request to ---> dnscache on
eth1
> > 
> 
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net

On 20 May 2002, Joe Copeland wrote:
> 
> 
> 
> > Why don''t you simply configure the resolvers in the DMZ to
use
> > 192.168.1.254? Or am I missing something?
> > 
> > -Tom
> 
> I''m probably the one missing something.  I tried setting
> /etc/resolv.conf to 192.168.1.254 on my DMZ''d machine but it
doesn''t
> work.  
> 
> I think it doesn''t work because the firewall won''t route
the request to
> that address since it''s (1)on another network and (2) a non
routable ip
> address.
It works fine.
> 
> My DMZ is connected to eth2, 192.168.2.254 and my dnscache listens on
> eth 1, 192.168.1.254.
>
It is NOT LISTENING ON eth1 -- it is listening on one of the IP addresses 
owned by the system. If 66.51.201.39 would send a who-has 192.168.1.254 
ARP request on its LAN segment, your firewall would even answer with the 
MAC of eth2!!!
 
> A little ASCII art may help explain my network:
> 
> Inet--Firewall -- eth1 -- loc 192.168.1.254 -- 192.168.1.1 
>                \
>                 \ eth2 -- dmz 192.168.2.254 -- 66.51.201.39         
> 
> 
> I''m thinking that setting resolv.conf on 66.51.201.39 to 
> 
> nameserver 192.168.1.254 
> 
> doesn''t do that machine any good since it has no route to
192.168.1.254.
> 
It has a default route that goes through the firewall, right? If so, it 
has a route to 192.168.1.254.
> Dnscache works fine from the machine 192.168.1.1 since it has a direct
> route to 192.168.1.254.
> 
There''s something else going on here. Have you looked at this with 
tcpdump?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Mon, 20 May 2002, Tom Eastep wrote:
> 
> It is NOT LISTENING ON eth1 -- it is listening on one of the IP addresses 
> owned by the system. If 66.51.201.39 would send a who-has 192.168.1.254 
> ARP request on its LAN segment, your firewall would even answer with the 
> MAC of eth2!!!
>
Actually, I probably shouldn''t be so hasty is proclaiming what the
program
is doing since I haven''t looked at its source code. My point was simply
that IP addresses in Linux are owned by the system, not by individual
interfaces.

-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

On Mon May 05/20/02, 2002 at 10:28:38AM -0700, Joe Copeland
wrote:
> 
> 
> 
> > Why don''t you simply configure the resolvers in the DMZ to
use
> > 192.168.1.254? Or am I missing something?
> > 
> > -Tom
> 
> I''m probably the one missing something.  I tried setting
> /etc/resolv.conf to 192.168.1.254 on my DMZ''d machine but it
doesn''t
> work.  
And this would be the part that you need to debug -- perhaps your
ruleset does not permit this traffic? Tcpdumping this configuration is a
good bet if you''re not seeing Shorewall logs for this.
> I think it doesn''t work because the firewall won''t route
the request to
> that address since it''s (1)on another network and (2) a non
routable ip
> address.
I really wish there were a better term to cover the RFC1918 address
space than "non-routable" -- it makes people think like this, that
they''re somehow magical, and all hosts that perform routing will
automagically drop them. This is _not_ the case, a host with RFC1918
addresses will quite happily route between them. Hosts with no
interfaces on RFC1918 addresses should configured to drop them, and
hosts with RFC1918 addresses on one side and real IPs on the other
should be configured not to pass packets with RFC1918 addresses to the
public internet. See RFC1918 for details. 
> My DMZ is connected to eth2, 192.168.2.254 and my dnscache listens on
> eth 1, 192.168.1.254.
> 
> A little ASCII art may help explain my network:
> 
> Inet--Firewall -- eth1 -- loc 192.168.1.254 -- 192.168.1.1 
>                \
>                 \ eth2 -- dmz 192.168.2.254 -- 66.51.201.39         
> 
> 
> I''m thinking that setting resolv.conf on 66.51.201.39 to 
> 
> nameserver 192.168.1.254 
> 
> doesn''t do that machine any good since it has no route to
192.168.1.254.
If 66.51.201.39''s default gateway is 192.168.2.254, it does have a
route
to 192.168.1.254, because 192.168.2.254 has this route. Non-problem.

-- 
Greg White

On Tuesday 21 May 2002 08:53 am, Greg White wrote:
>
> If 66.51.201.39''s default gateway is 192.168.2.254, it does have a
route
> to 192.168.1.254, because 192.168.2.254 has this route. Non-problem.
Even if 66.61.201.39''s default gateway is a router in the 66.61.201.0/x
subnet
(at Joe''s ISP for example), because the firewall will respond to ARP 
"who-has" requests on the DMZ Lan segment for that router''s
IP address, it is
still a non-problem.

My setup is very similar to Joe''s and this from 206.124.146.177 in my
DMZ:

[root@mail html]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
206.124.146.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         206.124.146.254 0.0.0.0         UG    0      0        0 eth0
[root@mail html]# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) from 206.124.146.177 : 56(84) bytes of 
data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.406 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=0.212 ms

--- 192.168.1.254 ping statistics ---
2 packets transmitted, 2 received, 0% loss, time 999ms
rtt min/avg/max/mdev = 0.212/0.309/0.406/0.097 ms
[root@mail html]#

206.124.146.254 is my ISP''s router and 192.168.1.254 is the
firewall''s local
IP. The firewall''s DMZ IP is 192.168.2.1.

-Tom 
-- 
Tom Eastep            \ Shorewall -- iptables made easy
teastep@shorewall.net  \ http://www.shorewall.net