Good day to all. I am still relatively new with red Hat and Shorewall (the MS and OpenBSD worlds). I do persevere and had no problems with OpenBSD. Having said that, I am having a problem with DNS lookups being refused. I''m including my TOS and Rules for your review. Everything else works fine (Mail, Web, FTP etc), which confuses me. If my DNS connections were being refused, them how the heck to do I get mail etc? TOS net loc tcp domain - 16 net loc udp domain - 16 loc net tcp domain - 16 loc net udp domain - 16 net loc tcp smtp smtp 8 net loc tcp pop3 pop3 8 RULES (dnat) DNAT all loc:inside tcp 53 - DNAT all loc:inside udp 53 - DNAT net loc:inside tcp smtp - RULES (accept) ACCEPT all all tcp 53 53 ACCEPT all all udp 53 53 ACCEPT loc fw tcp ssh Keep in mind that I''ve replaced my local ip schema with INSIDE, and included an example of smtp dnatting. Also I have a slight problem with SMB. I can ping the smb name, can view the share using net view (smb name or ip), but the server does not show up in my net neighborhood. This is a later problem and is not important at this point (I''ll fight through this one, but the DNS lookup is important). Thanks to all Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 5314 bytes Desc: image001.gif Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20040729/cb85acf3/attachment.gif
Please post in plain text and configure your mailer to fold lines to a reasonable length. On Thu, 29 Jul 2004, Richard Gutery wrote:> Good day to all. I am still relatively new with red Hat and Shorewall > (the MS and OpenBSD worlds). I do persevere and had no problems with > OpenBSD. > Having said that, I am having a problem with DNS lookups being refused. > I''m including my TOS and Rules for your review. Everything else works > fine (Mail, Web, FTP etc), which confuses me. If my DNS connections were > being refused, them how the heck to do I get mail etc? > > TOSTOS is totally irrelevant to connection problems. The policy and interfaces file would have been more relevant.> > RULES (dnat) > DNAT all loc:inside tcp 53 - > DNAT all loc:inside udp 53 -The above two absurd rules say: "All DNS traffic, no matter where it originated or where it was originally going should be sent to ''inside''". That can''t be what you want; for one thing, ''inside'' can''t send any DNS requests; they will just be boomeranged back to it" Replace the ''all'' in the above with ''net'' and fix your other DNS rules below.> DNAT net loc:inside tcp smtp - > > RULES (accept) > ACCEPT all all tcp 53 53 > ACCEPT all all udp 53 53The above rules all DNS traffic everywhere BUT ONLY IF THE CLIENT BINDS TO LOCAL PORT 53. Ditch the entries in the SOURCE PORT(S) column.> Also I have a slight problem with SMB. I can ping the smb name, can > view the share using net view (smb name or ip), but the server does not > show up in my net neighborhood.The above isn''t enough of a problem description for us to help you.> This is a later problem and is not > important at this point (I''ll fight through this one, but the DNS lookup > is important).-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > The above rules all DNS traffic everywhere BUT ONLY IF THE CLIENT BINDS TO > LOCAL PORT 53. Ditch the entries in the SOURCE PORT(S) column. >The above sentence should begin "The above rules *allow* all DNS traffic..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
If you use bind9 should you have 953 port as well? --- Richard Gutery <rgutery@MentorITS.com> wrote:> > Good day to all. I am still relatively new with red > Hat and Shorewall (the MS and OpenBSD worlds). I do > persevere and had no problems with OpenBSD. > > Having said that, I am having a problem with DNS > lookups being refused. I''m including my TOS and > Rules for your review. Everything else works fine > (Mail, Web, FTP etc), which confuses me. If my DNS > connections were being refused, them how the heck to > do I get mail etc? > > TOS > net loc tcp domain > - 16 > net loc udp domain > - 16 > loc net tcp domain > - 16 > loc net udp domain > - 16 > net loc tcp smtp > smtp 8 > net loc tcp pop3 > pop3 8 > > RULES (dnat) > DNAT all loc:inside tcp > 53 - > DNAT all loc:inside udp > 53 - > DNAT net loc:inside tcp > smtp - > > RULES (accept) > ACCEPT all all tcp > 53 53 > ACCEPT all all udp > 53 53 > ACCEPT loc fw tcp > ssh > > Keep in mind that I''ve replaced my local ip schema > with INSIDE, and included an example of smtp > dnatting. > > Also I have a slight problem with SMB. I can ping > the smb name, can view the share using net view (smb > name or ip), but the server does not show up in my > net neighborhood. This is a later problem and is not > important at this point (I''ll fight through this > one, but the DNS lookup is important). > > Thanks to all > > Richard > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail