Please excuse me if this has been answered before - I have searched the documentation and not found a reply which I can understand. Maybe there is a HOWTO someone could please point me to. I am unable to obtain a broadband connection and therefore use ISDN via an ISP who allocates a non-static IP address. Currently I use e-smith server which handles dynamic dns updating for my DYNDNS CUSTOM domain name, but I want to move to a three interface firewall. My problem is in understanding: which IP updating utility I should use in which machine should it be how to configure the whole so that I can get my domain based mail, and host a webserver on the DMZ, and give access on the internal network to the webserver with www.domain.co.uk. Any help will be gratefully appreciated. Thankyou Tony
Tony, If I understand you correct:> My problem is in understanding: > > which IP updating utility I should useThat depends on the service you use for dynamic DNS. I use ddclient for several DynDNS.org domains.> in which machine should it beOn the machine connected to the Internet to get your public IP address.> how to configure the whole so that I can get my domain based mail, and > host a webserver on the DMZ, and give access on the internal network to > the webserver with www.domain.co.uk.Again, depends on the service and tool you use.> Any help will be gratefully appreciated.HTH karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
Thanks for fast reply. A check at dyndns.org proves that ddclient is compatible with my custom domain. Are you saying that it is as easy as just running ddclient as a daemon on what Shorewall calls the computer running the "net" zone, or is there more to do to given the information about the update client and my proposed network scheme. Thanks again for your help Tony On Thu, 2003-04-24 at 20:37, kb wrote:> Tony, > > If I understand you correct: > > > My problem is in understanding: > > > > which IP updating utility I should use > > That depends on the service you use for dynamic DNS. I use ddclient for > several DynDNS.org domains. > > > > in which machine should it be > > On the machine connected to the Internet to get your public IP address. > > > > how to configure the whole so that I can get my domain based mail, and > > host a webserver on the DMZ, and give access on the internal network to > > the webserver with www.domain.co.uk. > > Again, depends on the service and tool you use. > > > > Any help will be gratefully appreciated. > > HTH karsten >
> Thanks for fast reply. A check at dyndns.org proves that ddclient is > compatible with my custom domain. Are you saying that it is as easy as > just running ddclient as a daemon on what Shorewall calls the computer > running the "net" zone, or is there more to do to given the information > about the update client and my proposed network scheme.Just run the client on the firewall -- that client will only be responsible to update the dynamic IP that should be assigned to your dynamic DNS name. As easy, yes. The firewall has to run the servers itself or need NAT rules, to forward connections to the servers you wanna have available to the public. Therefore you have to configure shorewall, too. Not as easy, no. You will find the needed rules in the shorewall documentation. If you don''t wanna have something tricky and just some servers (like the web server you mentioned) it isn''t difficult to set those rules. karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
OK, I thought this was going to be hard, and its not, you have really helped. Configuring Shorewall is easy - all the files are there - even I can do that ! Thanks again Tony On Thu, 2003-04-24 at 21:12, kb wrote:> > Thanks for fast reply. A check at dyndns.org proves that ddclient is > > compatible with my custom domain. Are you saying that it is as easy as > > just running ddclient as a daemon on what Shorewall calls the computer > > running the "net" zone, or is there more to do to given the information > > about the update client and my proposed network scheme. > > Just run the client on the firewall -- that client will only be > responsible to update the dynamic IP that should be assigned to your > dynamic DNS name. > > As easy, yes. > > The firewall has to run the servers itself or need NAT rules, to forward > connections to the servers you wanna have available to the public. > Therefore you have to configure shorewall, too. > > Not as easy, no. > > > You will find the needed rules in the shorewall documentation. If you > don''t wanna have something tricky and just some servers (like the web > server you mentioned) it isn''t difficult to set those rules. > > karsten >
On 24 Apr 2003 21:19:01 +0100, Tony Bennett <tony.bennett@bcomputing.com> wrote:> OK, I thought this was going to be hard, and its not, you have really > helped. Configuring Shorewall is easy - all the files are there - even I > can do that ! >You will have to add an additional rule to allow ddclient to connect to your dyn dns provider. Check the ddclient docs -- it will probably be port 80. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
OK, a nice long weekend in England. I got everything set up, and you were right, I need to allow a connection, as I get this message from ddclient: "cannot connect to members.orgdns.org: 80 Socket : IO::Socket::INET : connect : Connection refused" Can you please tell me how to allow this. I did uncomment the line in policy about allowing the fw to connect to the internet, and have tried to open tcp and udp port 80, but I cant get it to work. Help please Thx Tony On Thu, 2003-04-24 at 21:23, Tom Eastep wrote:> On 24 Apr 2003 21:19:01 +0100, Tony Bennett <tony.bennett@bcomputing.com> > wrote: > > > OK, I thought this was going to be hard, and its not, you have really > > helped. Configuring Shorewall is easy - all the files are there - even I > > can do that ! > > > > You will have to add an additional rule to allow ddclient to connect to > your dyn dns provider. Check the ddclient docs -- it will probably be port > 80. > > -Tom
On 05 May 2003 00:51:09 +0100, Tony Bennett <tony.bennett@bcomputing.com> wrote:> OK, a nice long weekend in England. > > I got everything set up, and you were right, I need to allow a > connection, as I get this message from ddclient: > > "cannot connect to members.orgdns.org: 80 Socket : IO::Socket::INET : > connect : Connection refused" > > Can you please tell me how to allow this. I did uncomment the line in > policy about allowing the fw to connect to the internet, and have tried > to open tcp and udp port 80, but I cant get it to work. >Does "I can''t get it to work" mean that you are still getting the above message? If you "shorewall clear", does it work then? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I stopped and started Shorewall between changing the files and re-running the ddclient debug script Tony On Mon, 2003-05-05 at 00:58, Tom Eastep wrote:> On 05 May 2003 00:51:09 +0100, Tony Bennett <tony.bennett@bcomputing.com> > wrote: > > > OK, a nice long weekend in England. > > > > I got everything set up, and you were right, I need to allow a > > connection, as I get this message from ddclient: > > > > "cannot connect to members.orgdns.org: 80 Socket : IO::Socket::INET : > > connect : Connection refused" > > > > Can you please tell me how to allow this. I did uncomment the line in > > policy about allowing the fw to connect to the internet, and have tried > > to open tcp and udp port 80, but I cant get it to work. > > > > Does "I can''t get it to work" mean that you are still getting the above > message? If you "shorewall clear", does it work then? > > -Tom
On 5 May 2003, Tony Bennett wrote:> I stopped and started Shorewall between changing the files and > re-running the ddclient debug script >But that isn''t what I asked you. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Sun, 4 May 2003, Tom Eastep wrote:> On 5 May 2003, Tony Bennett wrote: > > > I stopped and started Shorewall between changing the files and > > re-running the ddclient debug script > > > > But that isn''t what I asked you. >And BTW -- mail to your return address <tony.bennett@bcomputing.com> is bouncing... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> I stopped and started Shorewall between changing the files and > re-running the ddclient debug scriptWhat about posting your rules, policy and zones files? karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!
On 5 May 2003, kb wrote:> > > I stopped and started Shorewall between changing the files and > > re-running the ddclient debug script > > What about posting your rules, policy and zones files?At this point, we don''t even know if the problem has anything to do with Shorewall. Commenting out the fw->net ACCEPT policy should have eliminated the connection problem; that''s why I asked if the dynamic DNS client works after a "shorewall clear". -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > > I stopped and started Shorewall between changing the files and > > > re-running the ddclient debug script > > > > What about posting your rules, policy and zones files? > > At this point, we don''t even know if the problem has anything to do with > Shorewall. Commenting out the fw->net ACCEPT policy should have eliminated > the connection problem; that''s why I asked if the dynamic DNS client works > after a "shorewall clear".Sure Tom, you are right. I just quickly suspected wrong ordered policies. Tony, please check your ddclient configuration very carefully. Although members.orgdns.org is the same website as www.orgdns.org, that does not necessarily mean, the update script responds on that machine, too. --- snipp --- from your error message "cannot connect to members.orgdns.org: 80 Socket : IO::Socket::INET : connect : Connection refused" --- snipp --- from sample-etc_ddclient.conf # server=www.orgdns.org \ # protocol=dyndns2 \ # login=yourLoginName \ # password=yourPasswort \ # yourSubdomain.orgdns.org btw: maybe try more than once -- while reading on orgdns.org I got an ''connection refused'', retrying got me the page. karsten -- Hi, I''m a signature virus. Copy me into your ~/.signature to help me spread!