Re: BIND and iptables config

[David Wright]

On Fri 16 Feb 2018 at 08:53:27 (-0500), Henning Follmann wrote:
> On Fri, Feb 16, 2018 at 04:26:14AM +0100, Rodary Jacques wrote:
> > Le jeudi 15 février 2018, 11:44:36 CET Henning Follmann a écrit :
> > > On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> > > > With NetworkManager, /etc/network/interfaces has only the loopbak 
> > > > interface, and I can't use wicd which can't deal with two wired 
> > > > interfaces. And, Henning Follmann, my English is too poor to explain 
> > > > clearly my setup which is the standard one when your ISP gives you one 
> > > > routable address and you want your home LAN to have access to internet.
> > > > Thanks for your interest anyway.
> > > > Jacques
> > > > 
> > > 
> > > Hello,
> > > no your english was good enough to describe your setup. And I would say
> > > that 90% of "us" have a form of "dialup" with on routable ip address and a
> > > NAT setup.
> > > First bind is not "standard" in this kind of situation and makes things
> > > overly complicated. I would recommend dnsmasq instead. It is much more
> > > staight forward for a NAT box to setup. It will also provide you with a
> > > dhcp server.
> > > And in your situation you also want to disable/avoid the NetworkManager. 
> > I told before that wiced can't deal with two wired interfaces.
> 
> That is not true, but lets ignore this for now.

I would be interested to know how you do this. I can't even see a way
to make wicd make connections on two interfaces at the same time where
one is wired and the other wireless. As soon as you select one
interface, the other gets disconnected. Do you have some CLI magic
that makes it keep the first connection going?

Cheers,
David.

Re: Re: BIND and iptables config

[Rodary Jacques]

Because when I did , witen iI just installed Jessie in April 2016, my 
mailbox which is dedicated to debian-user was flooded with useless or even 
stupid posts. Sorry for my fellow countrymen.
Salut. Jacques
 

Re: BIND and iptables config

[Henning Follmann]

On Fri, Feb 16, 2018 at 04:26:14AM +0100, Rodary Jacques wrote:
> Le jeudi 15 février 2018, 11:44:36 CET Henning Follmann a écrit :
> > On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> > > With NetworkManager, /etc/network/interfaces has only the loopbak 
> > > interface, and I can't use wicd which can't deal with two wired 
> > > interfaces. And, Henning Follmann, my English is too poor to explain 
> > > clearly my setup which is the standard one when your ISP gives you one 
> > > routable address and you want your home LAN to have access to internet.
> > >   Thanks for your interest anyway.
> > >   Jacques
> > > 
> > 
> > Hello,
> > no your english was good enough to describe your setup. And I would say
> > that 90% of "us" have a form of "dialup" with on routable ip address and a
> > NAT setup.
> > First bind is not "standard" in this kind of situation and makes things
> > overly complicated. I would recommend dnsmasq instead. It is much more
> > staight forward for a NAT box to setup. It will also provide you with a
> > dhcp server.
> > And in your situation you also want to disable/avoid the NetworkManager. 
> I told before that wiced can't deal with two wired interfaces.

That is not true, but lets ignore this for now.

> > It is quite easy because evry device you list in /e/n/i 
> i don't know ( with my poor English :-)) what is /e/n/i

Again your English is fine it's me being lazy.
/e/n/i is short for /etc/network/interfaces
This is the "old" way to configure your network interfaces.
 
> > will be
> > automaticaaly ignored by the NetworkManager.
> > And clearly because you have difficulties in setting this up doesn't make
> > all of this a bug.
> I don't find it normal to try to use interfaces before they are up! It's 
> obvously not a bug, but it's just  telling  users they shouldn't  try to 
> understand. When I fist tried Debian in april 2016, with Jessie, I read in 
> the bind9 doc something like "there are some issues about changing bind9 
> configuration, as future upgrade will loose your changes". without any more 
> details. 

Again, everything is behaving as expected. It is how you do things. And to
repeat myself, bind is not best in this situation. But if you insist in
using bind make sure it listens on your inside network interface, which
should be up without delay. You do not want ( and most likely neither does
your ISP) a full recursive resolver on your public interface.

You insisting to stick to this setup because you already invested too much
time in it is kind of stubborn (and I thought that was a German trait). You
either have to invest a lot more time to understand this or you could
switch to something more suited like dnsmasq. 

> > Also I want to mention to setup a router with Red Hat or with debian is
> > possible but there a distributions which are much more suited for this 
> > purpose. 
> I switched to Debian not to find it easier (Redhat wasn't) but because of 
> safety and coherence.
> But NetworkManager, which was on Fedora long before that on Debian, did not 
> the stupid things it does with resolv.conf and interfaces.

You most likely have resolvconf installed which updates /etc/resolv.conf.
Anything you change in there will be overwritten whenever something happens
on any network device.

> > I personally like pfsense and opnsense. Both are based on BSD but
> > they are excellent for SOHO routing. 
> Thanks to Wikipedia, I understood SOHO :-Da

And have you looked up OPNSense or pfsense?


-H



-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: BIND and iptables config

[rhkramer]

On Thursday, February 15, 2018 10:26:14 PM Rodary Jacques wrote:
> Le jeudi 15 février 2018, 11:44:36 CET Henning Follmann a écrit :
> > On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> > > With NetworkManager, /etc/network/interfaces has only the loopbak
> > > interface, and I can't use wicd which can't deal with two wired
> > > interfaces. And, Henning Follmann, my English is too poor to explain
> > > clearly my setup which is the standard one when your ISP gives you one
> > > routable address and you want your home LAN to have access to
> > > internet.

I don't understand--what are the two wired interfaces that you have connected 
to your computer?

> > Hello,
> > no your english was good enough to describe your setup. And I would say
> > that 90% of "us" have a form of "dialup" with on routable ip address and
> > a NAT setup.
> > First bind is not "standard" in this kind of situation and makes things
> > overly complicated. I would recommend dnsmasq instead. It is much more
> > staight forward for a NAT box to setup. It will also provide you with a
> > dhcp server.
> > And in your situation you also want to disable/avoid the NetworkManager.
> 
> I told before that wiced can't deal with two wired interfaces.
> 
> > It is quite easy because evry device you list in /e/n/i

Based on context, I would say that is a difficult to understand attempt at 
abbreviating /etc/network/interfaces, especially to offer for someone with 
limited English skills.

I hope you are not giving up (I got the idea you might based on your previous 
post)--I'm not sure I can help you, but I think someone will be able to.

Re: BIND and iptables config

[Rodary Jacques]

Le jeudi 15 février 2018, 11:44:36 CET Henning Follmann a écrit :
> On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> > With NetworkManager, /etc/network/interfaces has only the loopbak 
> > interface, and I can't use wicd which can't deal with two wired interfaces. 
> > And, Henning Follmann, my English is too poor to explain clearly my setup 
> > which is the standard one when your ISP gives you one routable address and 
> > you want your home LAN to have access to internet.
> > Thanks for your interest anyway.
> > Jacques
> > 
> 
> Hello,
> no your english was good enough to describe your setup. And I would say
> that 90% of "us" have a form of "dialup" with on routable ip address and a
> NAT setup.
> First bind is not "standard" in this kind of situation and makes things
> overly complicated. I would recommend dnsmasq instead. It is much more
> staight forward for a NAT box to setup. It will also provide you with a
> dhcp server.
> And in your situation you also want to disable/avoid the NetworkManager. 
I told before that wiced can't deal with two wired interfaces.
> It is quite easy because evry device you list in /e/n/i 
i don't know ( with my poor English :-)) what is /e/n/i 
> will be
> automaticaaly ignored by the NetworkManager.
> And clearly because you have difficulties in setting this up doesn't make
> all of this a bug.
I don't find it normal to try to use interfaces before they are up! It's 
obvously not a bug, but it's just  telling  users they shouldn't  try to 
understand. When I fist tried Debian in april 2016, with Jessie, I read in the 
bind9 doc something like "there are some issues about changing bind9 
configuration, as future upgrade will loose your changes". without any more 
details. 
> Also I want to mention to setup a router with Red Hat or with debian is
> possible but there a distributions which are much more suited for this 
> purpose. 
I switched to Debian not to find it easier (Redhat wasn't) but because of 
safety and coherence.
But NetworkManager, which was on Fedora long before that on Debian, did not the 
stupid things it does with resolv.conf and interfaces.
> I personally like pfsense and opnsense. Both are based on BSD but
> they are excellent for SOHO routing. 
Thanks to Wikipedia, I understood SOHO :-D
> 
> -H
Have a good day (or night).
JR

Re: BIND and iptables config

[Rodary Jacques]

Le jeudi 15 février 2018, 11:44:36 CET Henning Follmann a écrit :
> On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> > With NetworkManager, /etc/network/interfaces has only the loopbak 
> > interface, and I can't use wicd which can't deal with two wired interfaces. 
> > And, Henning Follmann, my English is too poor to explain clearly my setup 
> > which is the standard one when your ISP gives you one routable address and 
> > you want your home LAN to have access to internet.
> > Thanks for your interest anyway.
> > Jacques
> > 
> 
> Hello,
> no your english was good enough to describe your setup. And I would say
> that 90% of "us" have a form of "dialup" with on routable ip address and a
> NAT setup.
> First bind is not "standard" in this kind of situation and makes things
> overly complicated. I would recommend dnsmasq instead. It is much more
> staight forward for a NAT box to setup. It will also provide you with a
> dhcp server.
> And in your situation you also want to disable/avoid the NetworkManager. 
> It is quite easy because evry device you list in /e/n/i will be
> automaticaaly ignored by the NetworkManager.
> And clearly because you have difficulties in setting this up doesn't make
> all of this a bug.
> 
> Also I want to mention to setup a router with Red Hat or with debian is
> possible but there a distributions which are much more suited for this
> purpose. I personally like pfsense and opnsense. Both are based on BSD but
> they are excellent for SOHO routing. 
> 

I had quite enough  problems setting this config to try something else. Thank 
you again.
JR

Re: BIND and iptables config

[Pascal Hambourg]

Le 15/02/2018 à 17:01, Rodary Jacques a écrit :

my English is too poor to explain clearly my setup

Why don't you post in French in the debian-user-french mailing list ?

Re: BIND and iptables config

[Joe]

On Thu, 15 Feb 2018 08:08:59 -0500
Greg Wooledge  wrote:


> 
> > But  NetworkManager  
> 
> *shudder*  You're on your own with that one.
> 

Datum: I remember Notwork Manager, but I've used it for at least five
years on a netbook, with wi-fi, openvpn and a number of pre-set fixed
IP wired schemes, and until recently with a 3G dongle, and it has
behaved well.

-- 
Joe

Re: BIND and iptables config

[Henning Follmann]

On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> With NetworkManager, /etc/network/interfaces has only the loopbak interface, 
> and I can't use wicd which can't deal with two wired interfaces. And, Henning 
> Follmann, my English is too poor to explain clearly my setup which is the 
> standard one when your ISP gives you one routable address and you want your 
> home LAN to have access to internet.
>   Thanks for your interest anyway.
>   Jacques
> 

Hello,
no your english was good enough to describe your setup. And I would say
that 90% of "us" have a form of "dialup" with on routable ip address and a
NAT setup.
First bind is not "standard" in this kind of situation and makes things
overly complicated. I would recommend dnsmasq instead. It is much more
staight forward for a NAT box to setup. It will also provide you with a
dhcp server.
And in your situation you also want to disable/avoid the NetworkManager. 
It is quite easy because evry device you list in /e/n/i will be
automaticaaly ignored by the NetworkManager.
And clearly because you have difficulties in setting this up doesn't make
all of this a bug.

Also I want to mention to setup a router with Red Hat or with debian is
possible but there a distributions which are much more suited for this
purpose. I personally like pfsense and opnsense. Both are based on BSD but
they are excellent for SOHO routing. 

-H




-- 
Henning Follmann   | hfollm...@itcfollmann.com

Re: BIND and iptables config

[Rodary Jacques]

With NetworkManager, /etc/network/interfaces has only the loopbak interface, 
and I can't use wicd which can't deal with two wired interfaces. And, Henning 
Follmann, my English is too poor to explain clearly my setup which is the 
standard one when your ISP gives you one routable address and you want your 
home LAN to have access to internet.
Thanks for your interest anyway.
Jacques

Re: BIND and iptables config

[Greg Wooledge]

On Wed, Feb 14, 2018 at 11:51:50PM +0100, Rodary Jacques wrote:
> I have my own DNS config t so that my home LAN can access internet (with 
> SNAT) to "the" internet which I created under Redhat 7.2!  It did work on a 
> Redhat  box with Systemd, NetworkManager , and the bind9 RPM. On Debian the 
> bind9.service tries to start when the net interfaces are not ready.

First thing you want to check is that your /etc/network/interfaces
file uses "auto" rather than "allow-hotplug" for the interfaces that
*must* be brought up before starting network-y services.

> But  NetworkManager

*shudder*  You're on your own with that one.

Re: BIND and iptables config

[Henning Follmann]

On Wed, Feb 14, 2018 at 11:51:50PM +0100, Rodary Jacques wrote:
> I have my own DNS config t so that my home LAN can access internet (with 
> SNAT) to "the" internet which I created under Redhat 7.2!  It did work on a 
> Redhat  box with Systemd, NetworkManager , and the bind9 RPM. On Debian the 
> bind9.service tries to start when the net interfaces are not ready.But  
> NetworkManager also tries to resolve DNS servers  still when the net 
> interfaces are not ready; so the external servers can't be joined and 
> /etc/resolv.conf ( a soft link to  /var/run/NetworkManager/resolv.conf) has 
> no reference to wlan (man resolvconf, indicated in 
> /lib/systemd/system/bind9-resolvconf.service as Docu never was on my system). 
> So  I had to cheat with NetworkManager: I removed the link 
> /etc/resolv.conf, and edited the original one (created during installation) 
> with all my DNS servers ( the master server is on my box and can't be reached 
> before BIND (4, 8 or 9) is activated) . I also had to create a new profile on 
> my external interface with all the DNS servers.
> All this done (two or three weeks), I can launch named with my own 
> (chroot'ed) config, and then start netfilter and SNAT  
> with my config.
> I don't mind all this as long as I don't have to reboot, and cheat again.
>   Wouldn't it be a bug?

No.
It's not debian's, bind's or the iptables fault that your setup is
unnecessary complicated and cumbersome.
The issue is your setup.

-H



-- 
Henning Follmann   | hfollm...@itcfollmann.com

BIND and iptables config

[Rodary Jacques]

I have my own DNS config t so that my home LAN can access internet (with SNAT) 
to "the" internet which I created under Redhat 7.2!  It did work on a Redhat  
box with Systemd, NetworkManager , and the bind9 RPM. On Debian the 
bind9.service tries to start when the net interfaces are not ready.But  
NetworkManager also tries to resolve DNS servers  still when the net interfaces 
are not ready; so the external servers can't be joined and /etc/resolv.conf ( a 
soft link to  /var/run/NetworkManager/resolv.conf) has no reference to wlan 
(man resolvconf, indicated in /lib/systemd/system/bind9-resolvconf.service as 
Docu never was on my system). So  I had to cheat with NetworkManager: I removed 
the link 
/etc/resolv.conf, and edited the original one (created during installation) 
with all my DNS servers ( the master server is on my box and can't be reached 
before BIND (4, 8 or 9) is activated) . I also had to create a new profile on 
my external interface with all the DNS servers.
All this done (two or three weeks), I can launch named with my own (chroot'ed) 
config, and then start netfilter and SNAT  
with my config.
I don't mind all this as long as I don't have to reboot, and cheat again.
Wouldn't it be a bug?
Cheers. Jacques