Hi Mikkel
On Sun, 31 Dec 2000, Mikkel L. Ellertson wrote:
> What does your firewall rules for port 53 look like,
Ok, this is (effectively) what my firewall does (i cut out the chaff)
$IPCHAINS -I input 1 -i $LOCALIF -y -p TCP --destination-port 53 -j ACCEPT
$IPCHAINS -I input 1 -i $LOCALIF -p UDP --destination-port 53 -j ACCEPT
$IPMASQADM portfw -a -P tcp -L $LOCALIP 53 -R 192.168.2.2 5553
$IPMASQADM portfw -a -P udp -L $LOCALIP 53 -R 192.168.2.2 5553
Here is what it look like in action.
[root@gw /root]# ipchains -nL | grep 53
ACCEPT udp ------ 0.0.0.0/0 0.0.0.0/0 * -> 53
ACCEPT tcp -y---- 0.0.0.0/0 0.0.0.0/0 * -> 53
[root@gw /root]# ipchains -M -nL | grep 53
UDP 38:03.77 192.168.2.2 a.b.c.d 5553 (53) -> 62504
UDP 110:34.98 192.168.2.2 a.b.c.d 5553 (53) -> 1668
UDP 108:58.98 192.168.2.2 207.226.80.1 1031 (61473) -> 5553
UDP 02:17.67 192.168.2.2 207.226.80.1 1030 (61472) -> 5553
UDP 119:56.01 192.168.2.2 207.226.80.1 53 (61474) -> 5553
[root@gw /root]# ipmasqadm portfw -l | grep 53
UDP fwall-outside 192.168.2.2 domain 5553 9 10
TCP fwall-outside 192.168.2.2 domain 5553 10 10
the internal DNS server is on port 5553 (sorry should have mentioned that
earlier). 207.226.80.1 is my ISP DNS server, 192.168.2.2 is the internal
DNS server, a.b.c.d is the firewall
> and what does your
> named.conf file look like? Depending on your named.conf file, you are
> probably not using port 53 for outgoing lookups. So your firewall is
> probably not forwarding the responce to the machine inside the firewall.
>
> Try changing:
> /* query-source address * port 53; */
> to
> query-source address * port 53;
>
> in /etc/named.conf and see if that fixes the problem. If it does, then
> you can consider if you what to keep this configuration, or fix your
> firewall rules.
I had tried that previously (before trying it on the firewall). It didn't
help then or now. Anyway, here is my named.conf
options {
directory "/var/named";
listen-on port 5553 { 192.168.2/24; };
pid-file "/var/run/named.external.pid";
version "you're kidding right?";
forwarders {
207.226.80.1;
4.21.64.1;
};
query-source address * port 53;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "148.219.63.in-addr.arpa" IN {
type master;
file "148.219.63.in-addr.arpa";
allow-update { none; };
};
zone "fauxcalpointe.com" IN {
type master;
file "fauxcalpointe.com";
};
zone "galpin.net" IN {
type master;
file "galpin.net";
};
yada yada yada
thanks
charles
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list