Hi all Before I started to write this Question I was sure that messages "fw2net DROP...." was not showing often but when I looked closly at the logs it shows to be plenty. Did some one compromised our DNS (secondary dns)? Why would DNS send the packets to the ports other than requesed (wrong config, connection timeout,web server already has the answer for the query) What should I do with this trafic? is it ok to allow DNS 203.94.161.6 to go to webserver 203.94.161.7 the way it wants to PS. we use this box to go out as a GW for a few dialups and internal. Thanks for the help Bogdan rules file ---------------------- REJECT net $FW tcp ssh,auth DROP net $FW icmp 8 DROP net loc icmp 8 DROP net dial1 icmp 8 DROP net dial2 icmp 8 DROP dial1 $FW icmp 8 ACCEPT loc $FW tcp 53 # DNS ACCEPT loc $FW udp 53 # DNS ACCEPT loc net tcp 53 # DNS ACCEPT loc net udp 53 # DNS ACCEPT net $FW tcp 53 # DNS ACCEPT net $FW udp 53 # DNS ACCEPT $FW net tcp 53,123 # DNS and TIME ACCEPT $FW net udp 53,123 # DNS and TIME # $FW to dns and to net ACCEPT $FW net icmp 8 ACCEPT $FW loc icmp 8 ACCEPT $FW net:203.94.161.5 tcp 53 ACCEPT $FW net:203.94.161.5 udp 53 ACCEPT $FW net tcp 20,21,25,80,110,123,443,10987 ACCEPT $FW net udp 123 # local ACCEPT loc $FW icmp 8 ACCEPT loc net icmp 8 ACCEPT loc net:203.94.161.5 tcp 53 ACCEPT loc net:203.94.161.5 udp 53 ACCEPT loc net:210.8.42.18 tcp 8080 # BBF accounts ACCEPT loc net tcp 20,21,22,23,25,80,110,443,10987,56789 ACCEPT loc $FW tcp 20,21,22,23,25,80,110,443,10987 ACCEPT loc:~00-40-f4-42-33-9b net all # wally 5.100 # dialin ACCEPT dial1 $FW icmp 8 ACCEPT dial1 loc icmp 8 ACCEPT dial1 $FW tcp 53 # fns1 ACCEPT dial1 $FW udp 53 # fns1 ACCEPT dial1 net:203.94.161.5 tcp 53 ACCEPT dial1 net:203.94.161.5 udp 53 ACCEPT dial1 net tcp 20,21,25,80,81,110,443,10987 # these are outgoing, port 81 for mmm ACCEPT dial2 $FW icmp 8 ACCEPT dial2 loc icmp 8 ACCEPT dial2 $FW tcp 53 # fns1 ACCEPT dial2 $FW udp 53 # fns1 ACCEPT dial2 $FW tcp 80,443 ACCEPT dial2 net:203.94.161.5 tcp 53 ACCEPT dial2 net:203.94.161.5 udp 53 ACCEPT dial2 net tcp 20,21,25,80,110,443,10987 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ----------------- messages:Aug 30 13:20:50 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=203.94.161.6 DST=203.94.161.7 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=34225 LEN=34 messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=34226 LEN=40 messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=34230 LEN=40
Bogdan, I am new to Shorewall, but one obvious thing might be that your /etc/shorewall/policy file does not have fw->net not uncommented. Beyond that, I dont have any other knowledge as I am only 5 days old with Shorewall. mehul On Sat, Aug 30, 2003 at 02:31:21PM +1000, bogdan wrote:> Hi all > > Before I started to write this Question I was sure that messages "fw2net > DROP...." was not showing often but when I looked closly at the logs it > shows to be plenty. > > Did some one compromised our DNS (secondary dns)? > > Why would DNS send the packets to the ports other than requesed (wrong > config, connection timeout,web server already has the answer for the query) > > What should I do with this trafic? is it ok to allow DNS 203.94.161.6 to go > to webserver 203.94.161.7 the way it wants to > PS. we use this box to go out as a GW for a few dialups and internal. > > Thanks for the help > Bogdan > > rules file > ---------------------- > REJECT net $FW tcp ssh,auth > DROP net $FW icmp 8 > DROP net loc icmp 8 > DROP net dial1 icmp 8 > DROP net dial2 icmp 8 > DROP dial1 $FW icmp 8 > > ACCEPT loc $FW tcp 53 # DNS > ACCEPT loc $FW udp 53 # DNS > ACCEPT loc net tcp 53 # DNS > ACCEPT loc net udp 53 # DNS > ACCEPT net $FW tcp 53 # DNS > ACCEPT net $FW udp 53 # DNS > ACCEPT $FW net tcp 53,123 # DNS and TIME > ACCEPT $FW net udp 53,123 # DNS and TIME > > > # $FW to dns and to net > ACCEPT $FW net icmp 8 > ACCEPT $FW loc icmp 8 > ACCEPT $FW net:203.94.161.5 tcp 53 > ACCEPT $FW net:203.94.161.5 udp 53 > ACCEPT $FW net tcp 20,21,25,80,110,123,443,10987 > ACCEPT $FW net udp 123 > > # local > ACCEPT loc $FW icmp 8 > ACCEPT loc net icmp 8 > ACCEPT loc net:203.94.161.5 tcp 53 > ACCEPT loc net:203.94.161.5 udp 53 > ACCEPT loc net:210.8.42.18 tcp 8080 # BBF accounts > ACCEPT loc net tcp 20,21,22,23,25,80,110,443,10987,56789 > ACCEPT loc $FW tcp 20,21,22,23,25,80,110,443,10987 > > ACCEPT loc:~00-40-f4-42-33-9b net all # wally 5.100 > > # dialin > ACCEPT dial1 $FW icmp 8 > ACCEPT dial1 loc icmp 8 > ACCEPT dial1 $FW tcp 53 # fns1 > ACCEPT dial1 $FW udp 53 # fns1 > ACCEPT dial1 net:203.94.161.5 tcp 53 > ACCEPT dial1 net:203.94.161.5 udp 53 > ACCEPT dial1 net tcp 20,21,25,80,81,110,443,10987 > # these are outgoing, port 81 for mmm > > ACCEPT dial2 $FW icmp 8 > ACCEPT dial2 loc icmp 8 > ACCEPT dial2 $FW tcp 53 # fns1 > ACCEPT dial2 $FW udp 53 # fns1 > ACCEPT dial2 $FW tcp 80,443 > ACCEPT dial2 net:203.94.161.5 tcp 53 > ACCEPT dial2 net:203.94.161.5 udp 53 > ACCEPT dial2 net tcp 20,21,25,80,110,443,10987 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > ----------------- > messages:Aug 30 13:20:50 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 > SRC=203.94.161.6 DST=203.94.161.7 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > PROTO=UDP SPT=53 DPT=34225 LEN=34 > messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 > SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > PROTO=UDP SPT=53 DPT=34226 LEN=40 > messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 > SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > PROTO=UDP SPT=53 DPT=34230 LEN=40 > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Mehul N. Sanghvi email: mehul@kirsun.com Superior software is always free! URL: http://kirsun.com/~mehul
I have policy but with REJECT, the reason that I would not like my box to cause problems to others, just in case it gets hacked. Plus I thought it was good idea to limit trafic to nessesities. But maybe I am too paranoid. Bogdan ----- Original Message ----- From: "Mehul N. Sanghvi" <mehul@kirsun.com> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, August 30, 2003 2:54 PM Subject: Re: [Shorewall-users] fw2net DROP messages> Bogdan, > > I am new to Shorewall, but one obvious thing might be that your > /etc/shorewall/policy file does not have fw->net not uncommented. > Beyond that, I dont have any other knowledge as I am only 5 days > old with Shorewall. > > mehul > > > On Sat, Aug 30, 2003 at 02:31:21PM +1000, bogdan wrote: > > Hi all > > > > Before I started to write this Question I was sure that messages "fw2net > > DROP...." was not showing often but when I looked closly at the logs it > > shows to be plenty. > > > > Did some one compromised our DNS (secondary dns)? > > > > Why would DNS send the packets to the ports other than requesed (wrong > > config, connection timeout,web server already has the answer for thequery)> > > > What should I do with this trafic? is it ok to allow DNS 203.94.161.6 togo> > to webserver 203.94.161.7 the way it wants to > > PS. we use this box to go out as a GW for a few dialups and internal. > > > > Thanks for the help > > Bogdan > > > > rules file > > ---------------------- > > REJECT net $FW tcp ssh,auth > > DROP net $FW icmp 8 > > DROP net loc icmp 8 > > DROP net dial1 icmp 8 > > DROP net dial2 icmp 8 > > DROP dial1 $FW icmp 8 > > > > ACCEPT loc $FW tcp 53 # DNS > > ACCEPT loc $FW udp 53 # DNS > > ACCEPT loc net tcp 53 # DNS > > ACCEPT loc net udp 53 # DNS > > ACCEPT net $FW tcp 53 # DNS > > ACCEPT net $FW udp 53 # DNS > > ACCEPT $FW net tcp 53,123 # DNS and TIME > > ACCEPT $FW net udp 53,123 # DNS and TIME > > > > > > # $FW to dns and to net > > ACCEPT $FW net icmp 8 > > ACCEPT $FW loc icmp 8 > > ACCEPT $FW net:203.94.161.5 tcp 53 > > ACCEPT $FW net:203.94.161.5 udp 53 > > ACCEPT $FW net tcp 20,21,25,80,110,123,443,10987 > > ACCEPT $FW net udp 123 > > > > # local > > ACCEPT loc $FW icmp 8 > > ACCEPT loc net icmp 8 > > ACCEPT loc net:203.94.161.5 tcp 53 > > ACCEPT loc net:203.94.161.5 udp 53 > > ACCEPT loc net:210.8.42.18 tcp 8080 # BBF accounts > > ACCEPT loc net tcp 20,21,22,23,25,80,110,443,10987,56789 > > ACCEPT loc $FW tcp 20,21,22,23,25,80,110,443,10987 > > > > ACCEPT loc:~00-40-f4-42-33-9b net all # wally 5.100 > > > > # dialin > > ACCEPT dial1 $FW icmp 8 > > ACCEPT dial1 loc icmp 8 > > ACCEPT dial1 $FW tcp 53 # fns1 > > ACCEPT dial1 $FW udp 53 # fns1 > > ACCEPT dial1 net:203.94.161.5 tcp 53 > > ACCEPT dial1 net:203.94.161.5 udp 53 > > ACCEPT dial1 net tcp 20,21,25,80,81,110,443,10987 > > # these are outgoing, port 81 for mmm > > > > ACCEPT dial2 $FW icmp 8 > > ACCEPT dial2 loc icmp 8 > > ACCEPT dial2 $FW tcp 53 # fns1 > > ACCEPT dial2 $FW udp 53 # fns1 > > ACCEPT dial2 $FW tcp 80,443 > > ACCEPT dial2 net:203.94.161.5 tcp 53 > > ACCEPT dial2 net:203.94.161.5 udp 53 > > ACCEPT dial2 net tcp 20,21,25,80,110,443,10987 > > > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > > > ----------------- > > messages:Aug 30 13:20:50 fns1 kernel: Shorewall:fw2net:REJECT:INOUT=eth0 > > SRC=203.94.161.6 DST=203.94.161.7 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0DF> > PROTO=UDP SPT=53 DPT=34225 LEN=34 > > messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:INOUT=eth0 > > SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0DF> > PROTO=UDP SPT=53 DPT=34226 LEN=40 > > messages:Aug 30 13:22:34 fns1 kernel: Shorewall:fw2net:REJECT:INOUT=eth0 > > SRC=203.94.161.6 DST=203.94.161.7 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0DF> > PROTO=UDP SPT=53 DPT=34230 LEN=40 > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > -- > Mehul N. Sanghvi email: mehul@kirsun.com > Superior software is always free! URL: http://kirsun.com/~mehul > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Fri, 2003-08-29 at 21:31, bogdan wrote:> Hi all > > Before I started to write this Question I was sure that messages "fw2net > DROP...." was not showing often but when I looked closly at the logs it > shows to be plenty. > > Did some one compromised our DNS (secondary dns)?This is FAQ #6c (http://shorewall.net/FAQ.htm#faq6c).> > ----------------- > messages:Aug 30 13:20:50 fns1 kernel: Shorewall:fw2net:REJECT:IN= OUT=eth0 > SRC=203.94.161.6 DST=203.94.161.7 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF > PROTO=UDP SPT=53 DPT=34225 LEN=34What is unusual is to see these in an output chain. Is your DNS server configured to do recursive resolution for external clients? It shouldn''t be. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi all, I am not sure I understant the phrase "recursive resolution for external clients?" . We run DNS with the resolution for the domains that we have registered for ourself and for some clients, I thought this was required by the DNS system to work properly? but now I am not sure. Can I run DNS without giving the access to the world? Is the answer in the word "recursive"? can it be any other type? Thanks Bogdan ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, August 30, 2003 11:45 PM Subject: Re: [Shorewall-users] fw2net DROP messages> On Fri, 2003-08-29 at 21:31, bogdan wrote: > > Hi all > > > > Before I started to write this Question I was sure that messages "fw2net > > DROP...." was not showing often but when I looked closly at the logs it > > shows to be plenty. > > > > Did some one compromised our DNS (secondary dns)? > > This is FAQ #6c (http://shorewall.net/FAQ.htm#faq6c). > > > > > ----------------- > > messages:Aug 30 13:20:50 fns1 kernel: Shorewall:fw2net:REJECT:INOUT=eth0 > > SRC=203.94.161.6 DST=203.94.161.7 LEN=54 TOS=0x00 PREC=0x00 TTL=64 ID=0DF> > PROTO=UDP SPT=53 DPT=34225 LEN=34 > > What is unusual is to see these in an output chain. Is your DNS server > configured to do recursive resolution for external clients? It shouldn''t > be. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
bogdan wrote:> Hi all, > > I am not sure I understant the phrase "recursive resolution for > external clients?" . > We run DNS with the resolution for the domains that we have > registered for ourself and for some clients, I thought this was > required by the DNS system to work properly? but now I am not sure. > Can I run DNS without giving the access to the world? Is the answer > in the word "recursive"? can it be any other type? > > Thanks > BogdanI believe what Tom was referring to was the "recursion yes/no" parameter in your named.conf file. From the man pages... recursion If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is not on, the server will return a referral to the client if it doesn''t know the answer. The default is yes. See also fetch-glue above. In other words; if someone on the internet was to specify your name servers IP address in their resolver lib configuration, do you want your server to return an answer (yes) or return a referral (the root name servers) for queries outside the zones you have loaded. Steve Cowles
Hi all I have been away, that why i did not reply. I have made recusion = no in a DNS, but then none of our "internal" clients could go anyware on the net, most likly because the dns did not provide our resolved-IP. I have checked that we have ACCEPT loc net udp 53 and ACCEPT loc net tcp 53 rules in the rules file We need : 1. outside computers to resolve our domains like emis.com.au centre.net.au stainedglassshed.com 2. internal computers to resolve internet addresses 3. dialup customers to use dns for browsing Can I in the view of those two points set recursive lookups to no? Do I need to do anything else for DNS to go through the fw? Thanks in advance Bogdan ----- Original Message ----- From: "Cowles, Steve" <steve@stevecowles.com> To: "''Shorewall Users Mailing List''" <shorewall-users@lists.shorewall.net> Sent: Monday, September 01, 2003 12:25 AM Subject: RE: [Shorewall-users] fw2net DROP messages> bogdan wrote: > > Hi all, > > > > I am not sure I understant the phrase "recursive resolution for > > external clients?" . > > We run DNS with the resolution for the domains that we have > > registered for ourself and for some clients, I thought this was > > required by the DNS system to work properly? but now I am not sure. > > Can I run DNS without giving the access to the world? Is the answer > > in the word "recursive"? can it be any other type? > > > > Thanks > > Bogdan > > I believe what Tom was referring to was the "recursion yes/no" parameterin> your named.conf file. From the man pages... > > recursion > If yes, and a DNS query requests recursion, then the server will > attempt to do all the work required to answer the query. If recursion > is not on, the server will return a referral to the client if it > doesn''t know the answer. The default is yes. See also fetch-glue > above. > > In other words; if someone on the internet was to specify your nameservers> IP address in their resolver lib configuration, do you want your server to > return an answer (yes) or return a referral (the root name servers) for > queries outside the zones you have loaded. > > Steve Cowles > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Bogdan: Your running named on the firewall? If so then your rules are only allowing connections from the lan to dns servers on the internet. You''ll need to have rules to allow your lan to the firewall. For external clients that would use your name server then net to fw needs to be allowed. Your still may need rules to allow the firewall to preform lookups, depends what is in your policy file... Jerry Vonau ----- Original Message ----- From: "bogy" <bogdan@centre.net.au> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Friday, September 12, 2003 12:04 AM Subject: Re: [Shorewall-users] fw2net DROP messages> Hi all > I have been away, that why i did not reply. > I have made recusion = no in a DNS, but then none of our "internal"clients> could go anyware on the net, most likly because the dns did not provideour> resolved-IP. I have checked that we have > ACCEPT loc net udp 53 and > ACCEPT loc net tcp 53 > rules in the rules file > > We need : > 1. outside computers to resolve our domains like emis.com.au centre.net.au > stainedglassshed.com > 2. internal computers to resolve internet addresses > 3. dialup customers to use dns for browsing > > Can I in the view of those two points set recursive lookups to no? > Do I need to do anything else for DNS to go through the fw? > > Thanks in advance > Bogdan > > > > > > ----- Original Message ----- > From: "Cowles, Steve" <steve@stevecowles.com> > To: "''Shorewall Users Mailing List''" <shorewall-users@lists.shorewall.net> > Sent: Monday, September 01, 2003 12:25 AM > Subject: RE: [Shorewall-users] fw2net DROP messages > > > > bogdan wrote: > > > Hi all, > > > > > > I am not sure I understant the phrase "recursive resolution for > > > external clients?" . > > > We run DNS with the resolution for the domains that we have > > > registered for ourself and for some clients, I thought this was > > > required by the DNS system to work properly? but now I am not sure. > > > Can I run DNS without giving the access to the world? Is the answer > > > in the word "recursive"? can it be any other type? > > > > > > Thanks > > > Bogdan > > > > I believe what Tom was referring to was the "recursion yes/no" parameter > in > > your named.conf file. From the man pages... > > > > recursion > > If yes, and a DNS query requests recursion, then the server will > > attempt to do all the work required to answer the query. Ifrecursion> > is not on, the server will return a referral to the client if it > > doesn''t know the answer. The default is yes. See also fetch-glue > > above. > > > > In other words; if someone on the internet was to specify your name > servers > > IP address in their resolver lib configuration, do you want your serverto> > return an answer (yes) or return a referral (the root name servers) for > > queries outside the zones you have loaded. > > > > Steve Cowles > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Thanks Jerry I have udp and tcp 53 open to FW and from, but Tom before his holiday said that I should not run "recursive named" this is the reason that I am asking now if my domains resolutions (like centre.net.au which we run) will be visible from the outside world if I set recursive = No. I know that this is not the DNS list and I most likly take the question there but I would like to know if there is anything with the shorewall that I can change to allow lookups. When I stop recursive our computers could not resolve any names, and I have ACCEPT loc2fw tcp 53 ACCEPT loc2fw udp 53 ACCEPT fw2net tcp 53 ACCEPT fw2net udp 53 ACCEPT net2fw tcp 53 ACCEPT net2fw udp 53 Are those sufficient to allow all DNS trafic? Thanks Bogdan ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Friday, September 12, 2003 3:49 PM Subject: Re: [Shorewall-users] fw2net DROP messages> Bogdan: > > Your running named on the firewall? > If so then your rules are only allowing > connections from the lan to dns servers > on the internet. You''ll need to have rules > to allow your lan to the firewall. For external > clients that would use your name server then > net to fw needs to be allowed. Your still may need > rules to allow the firewall to preform lookups, > depends what is in your policy file... > > Jerry Vonau > > ----- Original Message ----- > From: "bogy" <bogdan@centre.net.au> > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > Sent: Friday, September 12, 2003 12:04 AM > Subject: Re: [Shorewall-users] fw2net DROP messages > > > > Hi all > > I have been away, that why i did not reply. > > I have made recusion = no in a DNS, but then none of our "internal" > clients > > could go anyware on the net, most likly because the dns did not provide > our > > resolved-IP. I have checked that we have > > ACCEPT loc net udp 53 and > > ACCEPT loc net tcp 53 > > rules in the rules file > > > > We need : > > 1. outside computers to resolve our domains like emis.com.aucentre.net.au> > stainedglassshed.com > > 2. internal computers to resolve internet addresses > > 3. dialup customers to use dns for browsing > > > > Can I in the view of those two points set recursive lookups to no? > > Do I need to do anything else for DNS to go through the fw? > > > > Thanks in advance > > Bogdan > > > > > > > > > > > > ----- Original Message ----- > > From: "Cowles, Steve" <steve@stevecowles.com> > > To: "''Shorewall Users Mailing List''"<shorewall-users@lists.shorewall.net>> > Sent: Monday, September 01, 2003 12:25 AM > > Subject: RE: [Shorewall-users] fw2net DROP messages > > > > > > > bogdan wrote: > > > > Hi all, > > > > > > > > I am not sure I understant the phrase "recursive resolution for > > > > external clients?" . > > > > We run DNS with the resolution for the domains that we have > > > > registered for ourself and for some clients, I thought this was > > > > required by the DNS system to work properly? but now I am not sure. > > > > Can I run DNS without giving the access to the world? Is the answer > > > > in the word "recursive"? can it be any other type? > > > > > > > > Thanks > > > > Bogdan > > > > > > I believe what Tom was referring to was the "recursion yes/no"parameter> > in > > > your named.conf file. From the man pages... > > > > > > recursion > > > If yes, and a DNS query requests recursion, then the server will > > > attempt to do all the work required to answer the query. If > recursion > > > is not on, the server will return a referral to the client if it > > > doesn''t know the answer. The default is yes. See also fetch-glue > > > above. > > > > > > In other words; if someone on the internet was to specify your name > > servers > > > IP address in their resolver lib configuration, do you want yourserver> to > > > return an answer (yes) or return a referral (the root name servers)for> > > queries outside the zones you have loaded. > > > > > > Steve Cowles > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Bogdan: You need to remember when your named is looking up some domain that is not under your control, it is acting as a client. You have allowed the oubound request, but your missing: ACCEPT net fw tcp - 53 ACCEPT net fw udp - 53 ( this is accept all that has a source port of 53) To allow the returning answers as a client, from any dns server on the internet, to the firewall/named, for lookups that it can''t resolve locally. I noticed that from your first post, that all the ip addresses are close, are your "internal client" using public ips?? Jerry ----- Original Message ----- From: "bogy" <bogdan@centre.net.au> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Friday, September 12, 2003 08:32 AM Subject: Re: [Shorewall-users] fw2net DROP messages> Thanks Jerry > I have udp and tcp 53 open to FW and from, but Tom before his holiday said > that I should not run "recursive named" this is the reason that I amasking> now if my domains resolutions (like centre.net.au which we run) will be > visible from the outside world if I set recursive = No. I know that thisis> not the DNS list and I most likly take the question there but I would like > to know if there is anything with the shorewall that I can change to allow > lookups. When I stop recursive our computers could not resolve any names, > and I have > ACCEPT loc2fw tcp 53 > ACCEPT loc2fw udp 53 > ACCEPT fw2net tcp 53 > ACCEPT fw2net udp 53 > ACCEPT net2fw tcp 53 > ACCEPT net2fw udp 53 > Are those sufficient to allow all DNS trafic? > > Thanks > Bogdan > > > ----- Original Message ----- > From: "Jerry Vonau" <jvonau@shaw.ca> > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > Sent: Friday, September 12, 2003 3:49 PM > Subject: Re: [Shorewall-users] fw2net DROP messages > > > > Bogdan: > > > > Your running named on the firewall? > > If so then your rules are only allowing > > connections from the lan to dns servers > > on the internet. You''ll need to have rules > > to allow your lan to the firewall. For external > > clients that would use your name server then > > net to fw needs to be allowed. Your still may need > > rules to allow the firewall to preform lookups, > > depends what is in your policy file... > > > > Jerry Vonau > > > > ----- Original Message ----- > > From: "bogy" <bogdan@centre.net.au> > > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > > Sent: Friday, September 12, 2003 12:04 AM > > Subject: Re: [Shorewall-users] fw2net DROP messages > > > > > > > Hi all > > > I have been away, that why i did not reply. > > > I have made recusion = no in a DNS, but then none of our "internal" > > clients > > > could go anyware on the net, most likly because the dns did notprovide> > our > > > resolved-IP. I have checked that we have > > > ACCEPT loc net udp 53 and > > > ACCEPT loc net tcp 53 > > > rules in the rules file > > > > > > We need : > > > 1. outside computers to resolve our domains like emis.com.au > centre.net.au > > > stainedglassshed.com > > > 2. internal computers to resolve internet addresses > > > 3. dialup customers to use dns for browsing > > > > > > Can I in the view of those two points set recursive lookups to no? > > > Do I need to do anything else for DNS to go through the fw? > > > > > > Thanks in advance > > > Bogdan > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > From: "Cowles, Steve" <steve@stevecowles.com> > > > To: "''Shorewall Users Mailing List''" > <shorewall-users@lists.shorewall.net> > > > Sent: Monday, September 01, 2003 12:25 AM > > > Subject: RE: [Shorewall-users] fw2net DROP messages > > > > > > > > > > bogdan wrote: > > > > > Hi all, > > > > > > > > > > I am not sure I understant the phrase "recursive resolution for > > > > > external clients?" . > > > > > We run DNS with the resolution for the domains that we have > > > > > registered for ourself and for some clients, I thought this was > > > > > required by the DNS system to work properly? but now I am notsure.> > > > > Can I run DNS without giving the access to the world? Is theanswer> > > > > in the word "recursive"? can it be any other type? > > > > > > > > > > Thanks > > > > > > > > >Bogdan> > > > I believe what Tom was referring to was the "recursion yes/no" > parameter > > > in > > > > your named.conf file. From the man pages... > > > > > > > > recursion > > > > If yes, and a DNS query requests recursion, then the server will > > > > attempt to do all the work required to answer the query. If > > recursion > > > > is not on, the server will return a referral to the client if it > > > > doesn''t know the answer. The default is yes. See alsofetch-glue> > > > above. > > > > > > > > In other words; if someone on the internet was to specify your name > > > servers > > > > IP address in their resolver lib configuration, do you want your > server > > to > > > > return an answer (yes) or return a referral (the root name servers) > for > > > > queries outside the zones you have loaded. > > > > > > > > Steve Cowles > > > > _______________________________________________ > > > > Shorewall-users mailing list > > > > Post: Shorewall-users@lists.shorewall.net > > > > Subscribe/Unsubscribe: > > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > > Support: http://www.shorewall.net/support.htm > > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi Internal clients are rfc1918, but we have also few about 30 public that we assign for dialup (we are only a small fish) and few that go over wireless which are public as well Anyway if there is no imediate danger in running recursive named I am happy to leave them resolving. More problems are with spam in the qmail than in the named. Thanks Jerry once again Bogdan ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Saturday, September 13, 2003 10:50 AM Subject: Re: [Shorewall-users] fw2net DROP messages> Bogdan: > > You need to remember when your named is looking up some domain that is not > under your control, it is acting as a client. You have allowed the oubound > request, but your missing: > > ACCEPT net fw tcp - 53 > ACCEPT net fw udp - 53 > ( this is accept all that has a source port of 53) > > To allow the returning answers as a client, from any dns server on the > internet, to the firewall/named, for lookups that it can''t resolvelocally.> I noticed that from your first post, that all the ip addresses are close, > are your "internal client" using public ips?? > > Jerry > > ----- Original Message ----- > From: "bogy" <bogdan@centre.net.au> > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > Sent: Friday, September 12, 2003 08:32 AM > Subject: Re: [Shorewall-users] fw2net DROP messages > > > > Thanks Jerry > > I have udp and tcp 53 open to FW and from, but Tom before his holidaysaid> > that I should not run "recursive named" this is the reason that I am > asking > > now if my domains resolutions (like centre.net.au which we run) will be > > visible from the outside world if I set recursive = No. I know thatthis> is > > not the DNS list and I most likly take the question there but I wouldlike> > to know if there is anything with the shorewall that I can change toallow> > lookups. When I stop recursive our computers could not resolve anynames,> > and I have > > ACCEPT loc2fw tcp 53 > > ACCEPT loc2fw udp 53 > > ACCEPT fw2net tcp 53 > > ACCEPT fw2net udp 53 > > ACCEPT net2fw tcp 53 > > ACCEPT net2fw udp 53 > > Are those sufficient to allow all DNS trafic? > > > > Thanks > > Bogdan > > > > > > ----- Original Message ----- > > From: "Jerry Vonau" <jvonau@shaw.ca> > > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > > Sent: Friday, September 12, 2003 3:49 PM > > Subject: Re: [Shorewall-users] fw2net DROP messages > > > > > > > Bogdan: > > > > > > Your running named on the firewall? > > > If so then your rules are only allowing > > > connections from the lan to dns servers > > > on the internet. You''ll need to have rules > > > to allow your lan to the firewall. For external > > > clients that would use your name server then > > > net to fw needs to be allowed. Your still may need > > > rules to allow the firewall to preform lookups, > > > depends what is in your policy file... > > > > > > Jerry Vonau > > > > > > ----- Original Message ----- > > > From: "bogy" <bogdan@centre.net.au> > > > To: "Shorewall Users Mailing List"<shorewall-users@lists.shorewall.net>> > > Sent: Friday, September 12, 2003 12:04 AM > > > Subject: Re: [Shorewall-users] fw2net DROP messages > > > > > > > > > > Hi all > > > > I have been away, that why i did not reply. > > > > I have made recusion = no in a DNS, but then none of our "internal" > > > clients > > > > could go anyware on the net, most likly because the dns did not > provide > > > our > > > > resolved-IP. I have checked that we have > > > > ACCEPT loc net udp 53 and > > > > ACCEPT loc net tcp 53 > > > > rules in the rules file > > > > > > > > We need : > > > > 1. outside computers to resolve our domains like emis.com.au > > centre.net.au > > > > stainedglassshed.com > > > > 2. internal computers to resolve internet addresses > > > > 3. dialup customers to use dns for browsing > > > > > > > > Can I in the view of those two points set recursive lookups to no? > > > > Do I need to do anything else for DNS to go through the fw? > > > > > > > > Thanks in advance > > > > Bogdan > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "Cowles, Steve" <steve@stevecowles.com> > > > > To: "''Shorewall Users Mailing List''" > > <shorewall-users@lists.shorewall.net> > > > > Sent: Monday, September 01, 2003 12:25 AM > > > > Subject: RE: [Shorewall-users] fw2net DROP messages > > > > > > > > > > > > > bogdan wrote: > > > > > > Hi all, > > > > > > > > > > > > I am not sure I understant the phrase "recursive resolution for > > > > > > external clients?" . > > > > > > We run DNS with the resolution for the domains that we have > > > > > > registered for ourself and for some clients, I thought this was > > > > > > required by the DNS system to work properly? but now I am not > sure. > > > > > > Can I run DNS without giving the access to the world? Is the > answer > > > > > > in the word "recursive"? can it be any other type? > > > > > > > > > > > > Thanks > > > > > > > > > >Bogdan > > > > > > I believe what Tom was referring to was the "recursion yes/no" > > parameter > > > > in > > > > > your named.conf file. From the man pages... > > > > > > > > > > recursion > > > > > If yes, and a DNS query requests recursion, then the serverwill> > > > > attempt to do all the work required to answer the query. If > > > recursion > > > > > is not on, the server will return a referral to the client ifit> > > > > doesn''t know the answer. The default is yes. See also > fetch-glue > > > > > above. > > > > > > > > > > In other words; if someone on the internet was to specify yourname> > > > servers > > > > > IP address in their resolver lib configuration, do you want your > > server > > > to > > > > > return an answer (yes) or return a referral (the root nameservers)> > for > > > > > queries outside the zones you have loaded. > > > > > > > > > > Steve Cowles > > > > > _______________________________________________ > > > > > Shorewall-users mailing list > > > > > Post: Shorewall-users@lists.shorewall.net > > > > > Subscribe/Unsubscribe: > > > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > > > Support: http://www.shorewall.net/support.htm > > > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > > > > > > > _______________________________________________ > > > > Shorewall-users mailing list > > > > Post: Shorewall-users@lists.shorewall.net > > > > Subscribe/Unsubscribe: > > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > > Support: http://www.shorewall.net/support.htm > > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
bogy wrote:> Hi > Internal clients are rfc1918, but we have also few about 30 public > that we assign for dialup (we are only a small fish) and few that go > over wireless which are public as well > Anyway if there is no imediate danger in running recursive named I am > happy to leave them resolving. > More problems are with spam in the qmail than in the named. > > Thanks Jerry once again > Bogdan >Sounds like you need to implement bind views. By doing so, you could set recursion=no for external queries and recusrion=yes for your intranet/customer queries. FWIW: I found the following site quite informative in setting up bind. http://www.cymru.com/Documents/secure-bind-template.html Steve Cowles
On Fri, 12 Sep 2003, bogy wrote:> Hi all > I have been away, that why i did not reply. > I have made recusion = no in a DNS, but then none of our "internal" clients > could go anyware on the net, most likly because the dns did not provide our > resolved-IP. I have checked that we have > ACCEPT loc net udp 53 and > ACCEPT loc net tcp 53 > rules in the rules file > > We need : > 1. outside computers to resolve our domains like emis.com.au centre.net.au > stainedglassshed.com > 2. internal computers to resolve internet addresses > 3. dialup customers to use dns for browsing > > Can I in the view of those two points set recursive lookups to no? > Do I need to do anything else for DNS to go through the fw? >I use Bind 9 "Views" to allow recursive resolution for internal clients while preventing it for external clients. The Shorewall Setup Guide gives details. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Thank you very much Tom We all appriciate your help. I hope you had some rest. I will look into that DNS cose I do get few requests like that, but that wasn''t on my priority list. Bogdan ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> Sent: Monday, September 15, 2003 12:37 PM Subject: Re: [Shorewall-users] fw2net DROP messages> On Fri, 12 Sep 2003, bogy wrote: > > > Hi all > > I have been away, that why i did not reply. > > I have made recusion = no in a DNS, but then none of our "internal"clients> > could go anyware on the net, most likly because the dns did not provideour> > resolved-IP. I have checked that we have > > ACCEPT loc net udp 53 and > > ACCEPT loc net tcp 53 > > rules in the rules file > > > > We need : > > 1. outside computers to resolve our domains like emis.com.aucentre.net.au> > stainedglassshed.com > > 2. internal computers to resolve internet addresses > > 3. dialup customers to use dns for browsing > > > > Can I in the view of those two points set recursive lookups to no? > > Do I need to do anything else for DNS to go through the fw? > > > > I use Bind 9 "Views" to allow recursive resolution for internal clients > while preventing it for external clients. The Shorewall Setup Guide gives > details. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
From: "bogy" <bogdan@centre.net.au> Subject: Re: [Shorewall-users] fw2net DROP messages Date: Fri, 19 Sep 2003 22:07:12 +1000> Thank you very much Tom > We all appriciate your help. I hope you had some rest. > I will look into that DNS cose I do get few requests like that, but that > wasn''t on my priority list. > > Bogdan > > > ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: "Shorewall Users Mailing List" <shorewall-users@lists.shorewall.net> > Sent: Monday, September 15, 2003 12:37 PM > Subject: Re: [Shorewall-users] fw2net DROP messages > >