Hello, I had receive from a user that can''t connect one edu.hk domain name. I checked is all edu.hk domain name can''t connect but other .com .org and .net can connect. So changed the local DNS to ISP DNS but the problem still here. Extraordinary, our servers that with NAT can connect to all edu.hk, also tried don''t through shorewall that directly connect a PC can connect to edu.hk. Is shorewall has problem about NAT ? Thanks 為了不斷提升Yahoo! Mail,雅虎香港誠邀你參與意見調查。請前往http://surveylink.yahoo.com/wix/p5429076.aspx 發表你的意見! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Oct-30 14:49 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
Wilson Kwok wrote:> Hello, > > I had receive from a user that can''t connect one edu.hk domain name. I > checked is all edu.hk domain name can''t connect but other .com .org and > .net can connect. So changed the local DNS to ISP DNS but the problem > still here. > > Extraordinary, our servers that with NAT can connect to all edu.hk, also > tried don''t through shorewall that directly connect a PC can connect to > edu.hk. > > Is shorewall has problem about NAT ?No. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Wilson Kwok
2008-Oct-30 16:54 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
Dear Tom, Could you give me some solution to fix it ? Thanks --- 2008年10月30日 星期四,Tom Eastep <teastep@shorewall.net> 寫道﹕ 寄件人: Tom Eastep <teastep@shorewall.net> 主題: Re: [Shorewall-users] Local Lan computer can''t connect to edu.hk domain name 收件人: leiw324@yahoo.com.hk, "Shorewall Users" <shorewall-users@lists.sourceforge.net> 日期: 2008 10 30 星期四 下午 10:49 Wilson Kwok wrote:> Hello, > > I had receive from a user that can''t connect one edu.hk domain name. I > checked is all edu.hk domain name can''t connect but other .com .organd> .net can connect. So changed the local DNS to ISP DNS but the problem > still here. > > Extraordinary, our servers that with NAT can connect to all edu.hk, also > tried don''t through shorewall that directly connect a PC can connectto> edu.hk. > > Is shorewall has problem about NAT ?No. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users 為了不斷提升Yahoo! Mail,雅虎香港誠邀你參與意見調查。請前往http://surveylink.yahoo.com/wix/p5429076.aspx 發表你的意見! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Roberto C. Sánchez
2008-Oct-30 17:08 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
On Thu, Oct 30, 2008 at 09:54:30AM -0700, Wilson Kwok wrote:> Dear Tom, > > Could you give me some solution to fix it ? >Wilson, Your original post does not contain any useful information. Please submit your query as specified here: http://www.shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Chuck Kollars
2008-Oct-30 18:41 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
> ...I had receive from a user that can''t connect one edu.hk domain name. > I checked is all edu.hk domain name can''t connect but other .com .org > and .net can connect. ...Just scanning, this sounds real familiar to me, I''ve had the same symptom several times: probably somewhere some sort of rule assumes (incorrectly) that all top-level domains are three characters. It works for the U.S domains (.com, .edu, .org, .net, etc.) but chokes on domains in other countries as usually in those cases the top-level (rightmost segment) domain is the two-letter country code. Try some domains with names that end in say .au and see if they fail too. If so, the problem is somewhere that''s still dealing with "domain names", not yet "IP addresses". Also try it from different locations (an end user computer, an administrative computer, the firewall itself) which may help locate the problem. If the end user computers use Windows, execute `ipconfig -all` on a failing computer and see what the "DNS Servers" are. If the computers get their IP address from DHCP, they probably get their DNS Servers from DHCP too. So the DNS servers might not be what you think they are. (You might need to attend to the configuration of the DHCP server.) What does a DNS diagnostic like `dig` say? Maybe debug output that describes every DNS server in the chain when there are recursive requests will help. (I''ve no idea whether the erroneous rule is in a browser or an end user OS or a web filter or a DNS repeater or a DNS cacher or a firewall or ... In any case, I suspect you''re right to look first at DNS and not suspect Shorewall or NAT unless quite a bit more evidence points in that direction:-) thanks! -Chuck Kollars ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Wilson Kwok
2008-Oct-31 00:44 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
Here''s the Shorewall information: Shorewall version: 3.0.7 Our network has three subnet that''s loc, net and dmz: loc: 172.16.0.0/23 dmz: 192.168.0.0./24 net: 210.0.214.0/24 For security reason I don''t want to upload the shorewall dump file. Is there another email for dump file upload ? Thanks --- 2008年10月31日 星期五,Roberto C. Sánchez <roberto@connexer.com> 寫道﹕ 寄件人: Roberto C. Sánchez <roberto@connexer.com> 主題: Re: [Shorewall-users] Local Lan computer can''t connect to edu.hk domain name 收件人: shorewall-users@lists.sourceforge.net 日期: 2008 10 31 星期五 上午 1:08 On Thu, Oct 30, 2008 at 09:54:30AM -0700, Wilson Kwok wrote:> Dear Tom, > > Could you give me some solution to fix it ? >Wilson, Your original post does not contain any useful information. Please submit your query as specified here: http://www.shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users 為了不斷提升Yahoo! Mail,雅虎香港誠邀你參與意見調查。請前往http://surveylink.yahoo.com/wix/p5429076.aspx 發表你的意見! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Roberto C. Sánchez
2008-Oct-31 00:53 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
On Thu, Oct 30, 2008 at 05:44:21PM -0700, Wilson Kwok wrote:> Here''s the Shorewall information: > > Shorewall version: 3.0.7 >This is ancient. You really need to upgrade. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep
2008-Oct-31 02:12 UTC
Re: Local Lan computer can''t connect to edu.hk domain name
Wilson Kwok wrote:> > For security reason I don''t want to upload the shorewall dump file. > Is there another email for dump file upload ? >Wilson -- must we go through this every time that you have a problem? At http://www.shorewall.net/support.htm, it clearly states that if you want to submit information that you think is confidential then you send it to support@shorewall.net. But as Roberto says, Shorewall 3.0.7 is not supported. So we will look at your report but we won''t spend any extra time with it. Especially when your problem only involves certain DNS domains and therefore can have nothing to do with Shorewall. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/