Re: [Cooker-firewall] Bind behind MDK SNF - eventually ntp

[Florin]

Joseph Watson [EMAIL PROTECTED] writes:

 Hello,
 
   I am usring Mandrakes SNF, and am trying to get bind working
 behind this firewall using port forwarding and forwarding port 53, both
 udp and tcp, through to me bind server.  In testing, outgoing connections
 through this firewall by both the server and clients worked great.  But
 any server or client on the internet trying to access my DNS server got no
 responce???  I noticed packet bing denied on the firewall that were up in
 the 65000 range, but dismissed this as something else.  But I just came
 across something that made me think this may be linked  I found the
 following snip in the default /etc/named.conf file that came with a
 Mandrake 8.1 install:
 
 
 
  /*
   * If there is a firewall between you and nameservers you want
   * to talk to, you might need to uncomment the query-source
   * directive below.  Previous versions of BIND always asked
   * questions using port 53, but BIND 8.1 uses an unprivileged
   * port by default.
   */
  // query-source address * port 53;
 
 
 This seems to be self explanitory, but how do I open up the unprivliged
 ports to make this work or am I seeing this thing wrong??

Hello, 

you have found an interresting subject about the old SNF firewall. :o)

First, let me laugh while reading that some people have switched right
away to RedHat. This sound like blackmail. :o)

Please have in mind that the SNF was designed for small offices and
therefore a public DNS was not considered to be a priority.

_I_t _a_p_p_e_a_r_s _t_h_a_t _o_n_e _c_a_n_n_o_t _d_o 
_U_D_P _p_o_r_t _f_o_r_w_a_r_d_i_n_g _w_i_t_h _S_N_F 
_u_s_i_n_g _t_h_e _w_e_b
_i_n_t_e_r_f_a_c_e_.  Unless you want me to do a patch
and update the packages :o) 

Why it doesn't work ?

For the port forwarding we're using ipvsadm and a nice program called
iptoip which uses an xml configuration file called /etc/iptoip.xml.

The problem is that iptoip was using only the TCP protocol. This was
hard-coded in the /usr/sbin/iptoip perl script: 

check this out:

sub update_ipvs {   ## update ipvsadm table with
## specifief $ip, $DEST_IP, and $PORT
system /sbin/ipvsadm -A -t $ip:$PORT -s wlc;
system /sbin/ipvsadm -a -t $ip:$PORT -r $DEST_IP:$PORT -m;

}

How can this be done then, you may ask ?

Answer ? For the moment this can be done  by hand. :)

you can simply edit the /etc/sysconfig/lvs file on an old SNF.

here is an example

10.1.1.1 is the external address of the firewall and 
192.168.10.2 is the address of the DNS, somewhere inside the local LAN. 

# forward the ssh connexions
-A -t 10.1.1.1:22 -s rr
-a -t 10.1.1.1:22 -r 192.168.10.2:22 -m -w 1

#forward the domain, DNS, used in the case of a DNS client
-A -u 10.1.1.1:53 -s rr
-a -u 10.1.1.1:53 -r 192.168.10.2:53 -m -w 1

(you might not need the last section)
#forward the domain, DNS, used in the case of a DNS servers for zone transfer
-A -t 10.1.1.1:53 -s rr
-a -t 10.1.1.1:53 -r 192.168.10.2:53 -m -w 1


ok, how do I check what do I forward ?

[root@oldSNF /root]# ipvsadm -L
IP Virtual Server version 1.0.6 (size=4096)
Prot LocalAddress:Port Scheduler Flags 
  - RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP  sunlight.mandrakesoft.com:domain rr
  - 192.168.10.2:domainMasq1  0  0 
UDP  sunlight.mandrakesoft.com:domain rr
  - 192.168.10.2:domainMasq1  0  0 
TCP  sunlight.mandrakesoft.com:ssh wlc
  - 192.168.10.2:ssh   Masq1  0  0 

you may now check this from the external lan using dig or the obsoleted
nslookup, etc.

this method may apply to ntp, 123 udp and tcp ports

all the comments, are welcomed,
-- 
Florin  http://www.mandrakesoft.com

[Cooker-firewall] Bind behind MDK SNF

[Joseph Watson]

Hello,

I am usring Mandrakes SNF, and am trying to get bind working behind this
firewall using port forwarding and forwarding port 53, both udp and tcp,
through to me bind server.  In testing, outgoing connections through this
firewall by both the server and clients worked great.  But any server or
client on the internet trying to access my DNS server got no responce???  I
noticed packet bing denied on the firewall that were up in the 65000 range,
but dismissed this as something else.  But I just came across something
that made me think this may be linked  I found the following snip in
the default /etc/named.conf file that came with a Mandrake 8.1 install:



  /*
   * If there is a firewall between you and nameservers you want
   * to talk to, you might need to uncomment the query-source
   * directive below.  Previous versions of BIND always asked
   * questions using port 53, but BIND 8.1 uses an unprivileged
   * port by default.
   */
  // query-source address * port 53;


This seems to be self explanitory, but how do I open up the unprivliged
ports to make this work or am I seeing this thing wrong??

If someone could give me some ideas it would be great!!

Thanks,

Joseph

RE: [Cooker-firewall] Bind behind MDK SNF

[Michael Segulja]

I am having the same exact problem as you.  I have installed Mandrake
SNF at work where I am basically rebuilding the entire network, and I
cannot get DNS to work from the outside AT ALL.  I have actually
disabled the bastille-firewall script in startup, and execute my own
ipchains rules after the firewall boots.  I still cannot get DNS to work
from the outside to get to our company website on the internal LAN.  I
am using tcdump to sniff the external interface on the firewall, and I
can see a DNS request coming from the Netzero account I am dialing in
with to test.  I then see a message that says the UDP port 53 is
unreachable, even though I have completely opened everything on the
firewall.  I have also tried uncommenting the line below in the other
poster's quote from the /etc/named.conf file, but still get the same
results.

Since time is of an issue here, I have solved my problem by formatting
the hard drive and installing Redhat to set up my own chains manually.
I would like to go back to SNF because I like the web interface, but I
can't get anywhere with it if I cannot get past this problem.

Anybody have any ideas?  I have seen a lot of postings in the last
couple weeks from people that have had problems with DNS type services
on SNF.  It makes me wonder if something is broken within it somewhere?


Thanks,

Michael

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Joseph
Watson
Sent: Saturday, December 08, 2001 8:48 AM
To: Cooker Firewall
Subject: [Cooker-firewall] Bind behind MDK SNF

Hello,

I am usring Mandrakes SNF, and am trying to get bind working
behind this
firewall using port forwarding and forwarding port 53, both udp and tcp,
through to me bind server.  In testing, outgoing connections through
this
firewall by both the server and clients worked great.  But any server or
client on the internet trying to access my DNS server got no responce???
I
noticed packet bing denied on the firewall that were up in the 65000
range,
but dismissed this as something else.  But I just came across something
that made me think this may be linked  I found the following snip in
the default /etc/named.conf file that came with a Mandrake 8.1 install:



  /*
   * If there is a firewall between you and nameservers you want
   * to talk to, you might need to uncomment the query-source
   * directive below.  Previous versions of BIND always asked
   * questions using port 53, but BIND 8.1 uses an unprivileged
   * port by default.
   */
  // query-source address * port 53;


This seems to be self explanitory, but how do I open up the unprivliged
ports to make this work or am I seeing this thing wrong??

If someone could give me some ideas it would be great!!

Thanks,

Joseph