Building bind with gssapi
I've been tearing my hair out trying to get this to work. I'm running OpenBSD 5.3 x64 and I'm trying to build isc-bind from ports using the -with-gssapi in the Makefile (I want to have the -g option in nsupdate so I can use iscp-dhcp to register dynamic DNS updates against a secure Windows nameserver). I've specified --with-gssapi=/usr in the Makefile. Now, OpenBSD seems to put the gssapi.h in /usr/include/kerberosV, and krb5.h is there too. Yet, when I make the port it gives the following errors: checking for GSSAPI library... looking in /usr/lib checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no configure: error: gssapi.h not found I've tried adding symlinks here and there, but nothing works. I also see that the configure script wants to tack /lib onto the end of whatever path I enter for --with-gssapi=, even though the .h files aren't located in any such folder. Am I doing something wrong? I'd appreciate any insights. Thanks, Jeff Jeff Powell Systems Administrator Valley Services Electronics (408) 284-7751
Bind with GSSAPI
I've been tearing my hair out trying to get this to work. I'm running OpenBSD 5.3 x64 and I'm trying to build isc-bind from ports using the -with-gssapi in the Makefile (I want to have the -g option in nsupdate so I can use iscp-dhcp to register dynamic DNS updates against a secure Windows nameserver). I've specified --with-gssapi=/usr in the Makefile. Now, OpenBSD seems to put the gssapi.h in /usr/include/kerberosV, and krb5.h is there too. Yet, when I make the port it gives the following errors: checking for GSSAPI library... looking in /usr/lib checking gssapi.h usability... no checking gssapi.h presence... no checking for gssapi.h... no checking gssapi/gssapi.h usability... no checking gssapi/gssapi.h presence... no checking for gssapi/gssapi.h... no configure: error: gssapi.h not found I've tried adding symlinks here and there, but nothing works. I also see that the configure script wants to tack /lib onto the end of whatever path I enter for --with-gssapi=, even though the .h files aren't located in any such folder. Am I doing something wrong? I'd appreciate any insights. Thanks, Jeff
Semi-newbie NAT question
Hi, I'm hoping someone can help me with this. I'm just not totally up to speed on the finer details of NAT. I have built a firewall router using a Soekris Net5501. It has 4 NICs, one not used. They are as follows: vr0 = Connected to DSL modem. No IP address. Given as $ExtIF in pf.conf. vr1 = Connected to Gb switch. Public IP. Given as $IntIF in pf.conf. vr2 = Connected to same Gb switch. Private IP. $LocalIF in pf.conf. My public net is referred to as $DMZnet and the local net is $IntNet. vr0 and vr1 are bridged together as bridge0. I am giving the local clients Internet access via NAT: nat log on $IntIF from ! $IntIF to any - $IntIF The clients use the local IP of the firewall, 192.168.1.254, as their default gateway. All this works just fine until I try to put another server on the public net. When I point that server's gateway at the public IP of the router ($IntIF), it's blocked by the NAT. I understand that this is NAT doing its job by blocking packets it doesn't know about, but what do I do about a gateway for the DMZ net hosts? I don't want to use the ISP's gateway, I'd rather use the router. How can I make the router accept traffic from DMZ net hosts as a gateway? I've thought of using the currently-unused fourth NIC to give it a second public IP, but that's wasteful. I'm hoping this can be done purely in pf. thanks, Jeff
Re: Semi-newbie NAT question
Thanks, that's something I'll look into. There's another wrinkle I forgot to mention-- There is a Windows domain controller on the private net along with several Windows clients, and one Windows server on the DMZ net, a member of the domain. The router is running BIND, with its zones as slaves to the Windows DNS server on the domain controller (this is my public nameserver-- the Windows primary is on the private net). For this reason, the Windows server on the DMZ net must use the domain controller's private address as its DNS and not the router's BIND nameserver on the DMZ net, because BIND refuses to handle the special records that a Windows client needs to locate Active Directory. I'm not totally against creating another subnet, I just want to keep it as simple as possible and I hate messing with static routes and that sort of thing. Thanks, Jeff From: Adam M. Dutko [mailto:dutko.a...@gmail.com] Sent: Thu 5/6/2010 12:12 PM To: Jeff Powell Cc: misc@openbsd.org Subject: Re: Semi-newbie NAT question vr0 and vr1 are bridged together as bridge0. I was puzzled as to how it was working until you said this... I have a similar setup as you. I have a public interface with my public IP attached to the cable modem, then I have two other interfaces, one for internal hosts and another for DMZ hosts. In order to give a good amount of separation, logical and physical, I've setup two unique subnets, one for private side and the other for the DMZ. I simply point the DMZ hosts to the DMZ gateway address and then handle it through pf and do the same with internal/private hosts. I understand you don't want to use the fourth port, but it would make for clean separation and wouldn't require another public IP if you used a private subnet. An added benefit of such a setup is port redirects from the public IP to the other hosts, or using some sort of proxy to proxy connections to the DMZ hosts.
