Shorewall users - Sep 2005 - RE: Apache Virtual Hosts Problem

Thanks all for the response to my problem. Outside interrupts made me set aside
the
project temporarily.

Reading your input (one email of which was rejected by our email engine for
reasons
unknown) the thinking seems to be that Apache can''t resolve its virtual
hostnames. I
had not originally installed the dnsmasq module, so did that. However, there was
no
difference in performance. I then modified the hosts and resolv.conf files for
both
the webserver and the firewall. I''ve tried a variety of setups, none of
which seem
to make a difference.

Being really a novice at firewalls, I''m not sure just what should
appear in the hosts
and resolv.conf files in this setup (I''ve setup servers before, but
this is the first
firewall system). What exactly should each of these refer to? The IP''s
I''ve assigned are:

web server 10.10.11.1
outside firewall 63.206.130.195
inside firewall to dmz 10.10.11.254
inside firewall to local 10.10.10.254
and the local machines are 10.10.10.1,2,3

There are also two nameservers provided by my ISP.

The documentation on line is extensive and very good, almost too much of it to 
get a quick answer. Do I need to make any changes in the rules to get the
firewall
to aim stuff in the right direction? It all works except for the virtual hosts.

Thanks for any suggestions you can make ...
rc


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net on behalf of Tom Eastep
Sent: Mon 8/1/2005 8:01 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Apache Virtual Hosts Problem
 
Jerry Vonau wrote:
> I''ll bet that apache can''t resolve it''s own
virtual hostnames, with the firewall
> inplace, outbound dns request maybe blocked, while without the firewall,
> the lookups complete. I''ll guess the hosts file may not be setup
for the virtual
> hosts, on the webserver. If you want to have apache resolve for the
connecting
> ip, then you''ll have to allow the traffic from the webserver to a
dns server
> anyway.
>
And that server must resolve the ip address of the Apache host to the
correct external DNS name(s).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>Thanks all for the response to my problem. Outside interrupts made me set
aside the
>project temporarily.
>
>Reading your input (one email of which was rejected by our email engine for
reasons
>unknown) the thinking seems to be that Apache can''t resolve its
virtual hostnames. I
>had not originally installed the dnsmasq module, so did that. However, there
was no
>difference in performance. I then modified the hosts and resolv.conf files
for both
>the webserver and the firewall. I''ve tried a variety of setups,
none of which seem
>to make a difference.
>
>Being really a novice at firewalls, I''m not sure just what should
appear in the hosts
>and resolv.conf files in this setup (I''ve setup servers before, but
this is the first
>firewall system). What exactly should each of these refer to? The
IP''s I''ve assigned are:
>
>web server 10.10.11.1
>outside firewall 63.206.130.195
>inside firewall to dmz 10.10.11.254
>inside firewall to local 10.10.10.254
>and the local machines are 10.10.10.1,2,3
>
>There are also two nameservers provided by my ISP.
>
>The documentation on line is extensive and very good, almost too much of it
to
>get a quick answer. Do I need to make any changes in the rules to get the
firewall
>to aim stuff in the right direction? It all works except for the virtual
hosts.
>
>Thanks for any suggestions you can make ...
>rc
I think you need to open up traffic from the dmz (and back) for dns lookups.
If you have a resent version of shorewall:
AllowDNS    dmz    net

What is the "dnsmasq module"?

Jerry



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Jerry Vonau escribió:
> 
> 
> What is the "dnsmasq module"?
> 
> Jerry
the dnsmasq module does not exists.
he is probably talking about dnsmasq == name resolver and cache daemon.


--
Cristian Rodriguez R.
perl -e
''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''