Re: [leaf-user] dnscache vs. dmz ???

Matthew Schalit Fri, 11 Oct 2002 14:35:36 -0700

Michael D. Schleif wrote:

Matthew Schalit wrote:


<snip />

Please tell me you've added ipchains -l logging to every packet
        1)  inbound on dmz nic
        2)  outbound from dmz nic
        3)  inbound on internal nic
        4)  outbound on internal nic
        5)  forwarded by any forward rule

and repost the trail of a dns request from the dmz, judiciously snipping
and trimming if you please.


NOTE: I haven't yet figured out how to get the forward/MASQ chain to log
properly.



Working on this post some more...

As far as getting ipchains to log a forward rule, you just
add a -l the same way you do to any other ipchains rule.
That's the way I remember doing it, but I'm running iptables
now, and I can't check to be sure I'm remembering correctly.

Here is the log for czar (64.4.197.69) doing this:
	ping cdw.com
As you know, from previous posts, tinydns-public is on 64.4.197.65 . . .

Oct 10 22:59:51 bluetrout kernel: Packet log: input - eth1 PROTO=17
64.4.197.69:32780 64.4.222.157:53 L=53 S=0x00 I=128 F=0x4000 T=64 (#6)

Packet gets in eth1 via input rule 6.

Oct 10 22:59:52 bluetrout kernel: Packet log: output - eth1 PROTO=17
64.4.197.65:53 64.4.197.69:32780 L=85 S=0x00 I=30547 F=0x0000 T=64 (#5)

Packet got logged via output rule 5, but that looks like this:

Chain output (policy DENY: 97 packets, 19677 bytes):
 pkts bytes target     prot opt      ifname   source               destination           ports
   50  3496 ACCEPT     all  ------   eth1     12.248.253.86        64.4.197.69           n/a
    0     0 ACCEPT     all  ------   eth0     64.4.197.69          12.248.253.86         n/a
    0     0 ACCEPT     all  ------   eth0     12.248.253.86        64.4.197.69           n/a
    0     0 ACCEPT     all  ------   eth1     64.4.197.69          12.248.253.86         n/a
    3   292 -          all  ----l-   eth1     0.0.0.0/0            64.4.197.69           n/a
            ^^^^^^^
               |
               |
               |
  Will someone tell me please,
      Where's the ACCEPT?

Oct 10 22:59:52 bluetrout kernel: Packet log: input - eth1 PROTO=1
64.4.197.69:3 64.4.197.65:3 L=113 S=0xC0 I=26128 F=0x0000 T=255 (#6)



And you get a host unreachable or port unreachable like
Brad said, but we still need the forward rules to be logged
to see if there's anything else happening.

Regards,
Matthew





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] dnscache vs. dmz ???

Reply via email to