Hi Tom et al, I have a problem that doesn''t seem to fit in the documentation so here goes. I have two linux boxes: firewall and search, firewall is running shorewall from the debian sarge packages. They both are running dns. firewall is the primary and search is the secondary. They both have internal and external views. So I set up the zone file transfer the way it is suggested by the bind documentation. Each server has two internal IP addresses firewall has 192.168.50.1 and 192.168.50.100, the search box has 192.168.50.2 and 192.168.50.101. they transfer internal zone files perfectly via the 192.168.50.1/2 pair but I cannot get the 50.100/101 pair to talk to each other. In shorewall''s syslog logs I am seeing a reject notices between the two so I am assuming there is rule I need to add. I guess my question is, does shorewall automatically know that all the interfaces on the firewall box are in the firewall zone? Here are my rule set for port 53: ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT loc net tcp 53 ACCEPT loc net udp 53 ACCEPT net fw tcp 53 ACCEPT net fw udp 53 ACCEPT loc fw tcp 53 ACCEPT loc fw udp 53 ACCEPT fw loc tcp 53 ACCEPT fw loc udp 53 What am I missing here? Thanks, Sean ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> Hi Tom et al, > > I have a problem that doesn''t seem to fit in the documentation so here goes. > > I have two linux boxes: firewall and search, firewall is running > shorewall from the debian sarge packages. They both are running dns. > firewall is the primary and search is the secondary. They both have > internal and external views. So I set up the zone file transfer the way > it is suggested by the bind documentation. Each server has two internal > IP addresses firewall has 192.168.50.1 and 192.168.50.100, the search > box has 192.168.50.2 and 192.168.50.101. they transfer internal zone > files perfectly via the 192.168.50.1/2 pair but I cannot get the > 50.100/101 pair to talk to each other. In shorewall''s syslog logs I am > seeing a reject notices between the two so I am assuming there is rule I > need to add. I guess my question is, does shorewall automatically know > that all the interfaces on the firewall box are in the firewall zone? > Here are my rule set for port 53: > > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT loc net tcp 53 > ACCEPT loc net udp 53 > ACCEPT net fw tcp 53 > ACCEPT net fw udp 53 > ACCEPT loc fw tcp 53 > ACCEPT loc fw udp 53 > ACCEPT fw loc tcp 53 > ACCEPT fw loc udp 53 > > What am I missing here? > > Thanks, > SeanCan you do a "ping -I 192.168.50.100 192.168.50.101" ? Post the reject, if it gets logged. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jerry Vonau wrote:>>Hi Tom et al, >> >>I have a problem that doesn''t seem to fit in the documentation so here goes. >> >>I have two linux boxes: firewall and search, firewall is running >>shorewall from the debian sarge packages. They both are running dns. >>firewall is the primary and search is the secondary. They both have >>internal and external views. So I set up the zone file transfer the way >>it is suggested by the bind documentation. Each server has two internal >>IP addresses firewall has 192.168.50.1 and 192.168.50.100, the search >>box has 192.168.50.2 and 192.168.50.101. they transfer internal zone >>files perfectly via the 192.168.50.1/2 pair but I cannot get the >>50.100/101 pair to talk to each other. In shorewall''s syslog logs I am >>seeing a reject notices between the two so I am assuming there is rule I >>need to add. I guess my question is, does shorewall automatically know >>that all the interfaces on the firewall box are in the firewall zone? >>Here are my rule set for port 53: >> >>ACCEPT fw net tcp 53 >>ACCEPT fw net udp 53 >>ACCEPT loc net tcp 53 >>ACCEPT loc net udp 53 >>ACCEPT net fw tcp 53 >>ACCEPT net fw udp 53 >>ACCEPT loc fw tcp 53 >>ACCEPT loc fw udp 53 >>ACCEPT fw loc tcp 53 >>ACCEPT fw loc udp 53 >> >>What am I missing here? >> >>Thanks, >>Sean >> >> > >Can you do a "ping -I 192.168.50.100 192.168.50.101" ? >Post the reject, if it gets logged. > >Jerry > >firewall:/var/log# ping -I 192.168.50.100 192.168.50.101 PING 192.168.50.101 (192.168.50.101) from 192.168.50.100 : 56(84) bytes of data. 64 bytes from 192.168.50.101: icmp_seq=1 ttl=64 time=0.444 ms 64 bytes from 192.168.50.101: icmp_seq=2 ttl=64 time=0.167 ms 64 bytes from 192.168.50.101: icmp_seq=3 ttl=64 time=0.109 ms search01:~# ping -I 192.168.50.101 192.168.50.100 PING 192.168.50.100 (192.168.50.100) from 192.168.50.101 : 56(84) bytes of data. 64 bytes from 192.168.50.100: icmp_seq=1 ttl=64 time=0.214 ms 64 bytes from 192.168.50.100: icmp_seq=2 ttl=64 time=0.098 ms 64 bytes from 192.168.50.100: icmp_seq=3 ttl=64 time=0.155 ms From search: Aug 11 09:27:22 localhost named[6115]: zone 243.235.66.in-addr.arpa/IN: refresh: retry limit for master 192.168.50.100#53 exceeded Aug 11 09:27:22 localhost named[6115]: zone families.com/IN: refresh: retry limit for master 192.168.50.100#53 exceeded ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Jerry Vonau wrote:>>Hi Tom et al, >> >>I have a problem that doesn''t seem to fit in the documentation so here goes. >> >>I have two linux boxes: firewall and search, firewall is running >>shorewall from the debian sarge packages. They both are running dns. >>firewall is the primary and search is the secondary. They both have >>internal and external views. So I set up the zone file transfer the way >>it is suggested by the bind documentation. Each server has two internal >>IP addresses firewall has 192.168.50.1 and 192.168.50.100, the search >>box has 192.168.50.2 and 192.168.50.101. they transfer internal zone >>files perfectly via the 192.168.50.1/2 pair but I cannot get the >>50.100/101 pair to talk to each other. In shorewall''s syslog logs I am >>seeing a reject notices between the two so I am assuming there is rule I >>need to add. I guess my question is, does shorewall automatically know >>that all the interfaces on the firewall box are in the firewall zone? >>Here are my rule set for port 53: >> >>ACCEPT fw net tcp 53 >>ACCEPT fw net udp 53 >>ACCEPT loc net tcp 53 >>ACCEPT loc net udp 53 >>ACCEPT net fw tcp 53 >>ACCEPT net fw udp 53 >>ACCEPT loc fw tcp 53 >>ACCEPT loc fw udp 53 >>ACCEPT fw loc tcp 53 >>ACCEPT fw loc udp 53 >> >>What am I missing here? >> >>Thanks, >>Sean >> >> > >Can you do a "ping -I 192.168.50.100 192.168.50.101" ? >Post the reject, if it gets logged. > >Jerry > > >Uhh, nevermind.....sometimes it just takes sombody else to ask a question to figure it out. bind wasnt listening on the ip address. My bad. I''ll go back to my hole now. Thanks Anyway, Sean ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf