Re: [pfSense Support] Bogons file overwritten w/ bad data
The redmine is extremely slow right now and I don't think I have an
account so I've given up waiting for it. Here's a patch created against
1.2.3-RC2, but applies cleanly to my 2.0-ALPHA box as well. Works on
both. Simple enough.
Keenan
Chris Buechler wrote:
Yeah it assumes if the file is downloaded successfully that it's legit
data. First I've heard of anyone running into something like this, we
should have more verification on that file though.
http://redmine.pfsense.org/issues/show/183
*** rc.update_bogons.sh.old Fri Nov 27 00:43:59 2009
--- rc.update_bogons.sh Fri Nov 27 01:00:44 2009
***
*** 4,9
--- 4,11
# Part of the pfSense project
# www.pfsense.com
+ BOGONS_URL=http://files.pfsense.org/bogon-bn-nonagg.txt;
+
echo rc.update_bogons.sh is starting up. | logger
# Grab a random value
***
*** 17,31
echo rc.update_bogons.sh is beginning the update cycle. | logger
/etc/rc.conf_mount_rw
! /usr/bin/fetch -q -o /tmp/bogons
http://files.pfsense.org/bogon-bn-nonagg.txt;
if [ ! -f /tmp/bogons ]; then
! echo Could not download http://files.pfsense.org/bogon-bn-nonagg.txt;
| logger
# Relaunch and sleep
sh /etc/rc.update_bogons.sh
exit
fi
egrep -v ^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8 /tmp/bogons
/etc/bogons
/etc/rc.conf_mount_ro
RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 21`
rm /tmp/bogons
! echo Bogons file downloaded: $RESULT | logger
--- 19,46
echo rc.update_bogons.sh is beginning the update cycle. | logger
/etc/rc.conf_mount_rw
! /usr/bin/fetch -q -o /tmp/bogons $BOGONS_URL
if [ ! -f /tmp/bogons ]; then
! echo Could not download $BOGONS_URL | logger
# Relaunch and sleep
sh /etc/rc.update_bogons.sh
exit
fi
+
+ # Find any lines that aren't a valid CIDR
+ egrep -v
'^[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]/[0-9][0-9]?$'
/tmp/bogons /dev/null 21
+
+ if [ $? -eq 0 ]; then
+ echo Retrieved invalid bogons file from ${BOGONS_URL}. | logger
+ # Relaunch and sleep
+ sh /etc/rc.update_bogons.sh
+ exit
+ fi
+
+ # Count lines that are a valid CIDR
egrep -v ^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8 /tmp/bogons
/etc/bogons
/etc/rc.conf_mount_ro
RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 21`
rm /tmp/bogons
! valid_lines=`egrep
'^[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]\.[1-2]?[0-9]?[0-9]/[0-9][0-9]?$'
/etc/bogons | wc -l`
! echo Bogons file downloaded containing $valid_lines prefixes: $RESULT |
logger
signature.asc
Description: OpenPGP digital signature
[pfSense Support] Multiple Domain names on the same IP
Dear All, If I have multiple domain names mapped to my external IP's how can I forward requests to system1.domain.com:80 to a different system than requests to system2.domain.com:80 using pfsense? Both have the same external IP, but need to be forwarded to different machines --- Kind Regards, Mr Gabriel
Re: [pfSense Support] Multiple Domain names on the same IP
Gabriel - IP Guys wrote: Dear All, If I have multiple domain names mapped to my external IP’s how can I forward requests to system1.domain.com:80 to a different system than requests to system2.domain.com:80 using pfsense? Both have the same external IP, but need to be forwarded to different machines --- Kind Regards, Mr Gabriel I use HAproxy to do this, though admittedly I have not had a chance to use the pfsense packaged version. A basic ACL layer 7 rule based on the domain name send requests to different servers (backends) based on the domain name. Regards, Duncan - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Split DNS Setup
Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.cahttp://www.google.ca) and also internal office IPs for real world IPs (www.mydomain.comhttp://www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.comhttp://www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Any suggestions? I defined and SOA for mydomain.com and created an A record for it. I had it listening on my LAN IP. Restarted TinyDNS and all was well, till I tried google. It would not resolve that. Thanks, Ron
RE: [pfSense Support] Split DNS Setup
If your only working with a few servers, 5 - then I would consider just adding those IPs to the host file on pfSense. No need for a shotgun to kill a fly! From: Ron Lemon [mailto:r...@maplewood.com] Sent: 27 November 2009 15:10 To: support@pfsense.com Subject: [pfSense Support] Split DNS Setup Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.ca) and also internal office IPs for real world IPs (www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Any suggestions? I defined and SOA for mydomain.com and created an A record for it. I had it listening on my LAN IP. Restarted TinyDNS and all was well, till I tried google. It would not resolve that. Thanks, Ron
RE: [pfSense Support] Split DNS Setup
Sounds good to me. Where do I find the host file? I am used to C:\Windows\System32\Drivers\ETC doubt that will work in this case. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. [cid:image001.png@01CA6F52.68DD85B0] From: Gabriel - IP Guys [mailto:gabr...@impactteachers.com] Sent: Friday, November 27, 2009 10:35 AM To: support@pfsense.com Subject: RE: [pfSense Support] Split DNS Setup If your only working with a few servers, 5 - then I would consider just adding those IPs to the host file on pfSense. No need for a shotgun to kill a fly! From: Ron Lemon [mailto:r...@maplewood.com] Sent: 27 November 2009 15:10 To: support@pfsense.com Subject: [pfSense Support] Split DNS Setup Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.cahttp://www.google.ca) and also internal office IPs for real world IPs (www.mydomain.comhttp://www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.comhttp://www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Any suggestions? I defined and SOA for mydomain.com and created an A record for it. I had it listening on my LAN IP. Restarted TinyDNS and all was well, till I tried google. It would not resolve that. Thanks, Ron inline: image001.png
Re: [pfSense Support] Split DNS Setup
On Fri, Nov 27, 2009 at 9:11 AM, Ron Lemon r...@maplewood.com wrote: Sounds good to me. Where do I find the host file? /etc/hosts
Re: [pfSense Support] Split DNS Setup
On Fri, Nov 27, 2009 at 10:10 AM, Ron Lemon r...@maplewood.com wrote: Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.ca) and also internal office IPs for real world IPs (www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Don't, uninstall that, and use the DNS forwarder with overrides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Split DNS Setup
I have removed TinyDNS and added my overrides to DNS forwarder (which show in the hosts file). I have cleared my dns cache on my workstation and then tried to ping my host and I still get the public ip not my private one. I tried restarting the DNSForwarder then clearing my cache again and I get the same results. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -Original Message- From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On Behalf Of Chris Buechler Sent: Friday, November 27, 2009 1:17 PM To: support@pfsense.com Subject: Re: [pfSense Support] Split DNS Setup On Fri, Nov 27, 2009 at 10:10 AM, Ron Lemon r...@maplewood.com wrote: Good Morning, I have a pfSense box that needs to resolve real world IP addresses (www.google.ca) and also internal office IPs for real world IPs (www.mydomain.com as 192.168.1.1). This way people in the building can use things just as they would outside but never leave our network. I have installed TinyDNS and it was working for the www.mydomain.com with internal addresses but I then lost the ability to find google.com, etc. Don't, uninstall that, and use the DNS forwarder with overrides. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Split DNS Setup
Ron Lemon wrote: I have removed TinyDNS and added my overrides to DNS forwarder (which show in the hosts file). I have cleared my dns cache on my workstation and then tried to ping my host and I still get the public ip not my private one. I tried restarting the DNSForwarder then clearing my cache again and I get the same results. Are you pinging from within your firewall? Try pinging from one of your internal clients; you should see your private name/host entries from there. The firewall *itself* will report upstream names because by default /etc/resolv.conf doesn't get modified to use dnsmasq's lookups. So within the firewall itself is a special case, but that likely isn't important (it's not an issue in two setups I run that sound much like yours). If you really need to make the firewall see your private names, you should read up on dnsmasq's FAQs for the suggested config. You can create /usr/local/etc/dnsmasq.conf and put custom configs in there. They won't get clobbered by firmware upgrades, at least not in 1.2.3, and so far in 2.0. -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Split DNS Setup
I am pinging from a client machine. Just to be sure I cleared the DNS cache on another computer and then tried it. Still the live IP. I have also verified the IP of the DNS server and it is pointed to my pfSense box. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -Original Message- From: Bruce Walker [mailto:bruce.wal...@gmail.com] Sent: Friday, November 27, 2009 2:08 PM To: support@pfsense.com Subject: Re: [pfSense Support] Split DNS Setup Ron Lemon wrote: I have removed TinyDNS and added my overrides to DNS forwarder (which show in the hosts file). I have cleared my dns cache on my workstation and then tried to ping my host and I still get the public ip not my private one. I tried restarting the DNSForwarder then clearing my cache again and I get the same results. Are you pinging from within your firewall? Try pinging from one of your internal clients; you should see your private name/host entries from there. The firewall *itself* will report upstream names because by default /etc/resolv.conf doesn't get modified to use dnsmasq's lookups. So within the firewall itself is a special case, but that likely isn't important (it's not an issue in two setups I run that sound much like yours). If you really need to make the firewall see your private names, you should read up on dnsmasq's FAQs for the suggested config. You can create /usr/local/etc/dnsmasq.conf and put custom configs in there. They won't get clobbered by firmware upgrades, at least not in 1.2.3, and so far in 2.0. -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Split DNS Setup
Ron Lemon wrote: I am pinging from a client machine. Just to be sure I cleared the DNS cache on another computer and then tried it. Still the live IP. I have also verified the IP of the DNS server and it is pointed to my pfSense box. _ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. Oh! Here's a thought: I noticed that adding dns-forwarder overrides doesn't restart dnsmasq, so it doesn't necessarily see them. Either restart the service (from the Status - Services) or just click the Save button on the DNS Forwarder menu page. -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Split DNS Setup
Bruce Walker wrote: Oh! Here's a thought: I noticed that adding dns-forwarder overrides doesn't restart dnsmasq, so it doesn't necessarily see them. Either restart the service (from the Status - Services) or just click the Save button on the DNS Forwarder menu page. This should not be necessary. When you add an override, you click save on that screen, then apply changes on the main DNS forwarder screen. At that point, the overrides are already working (Confirmed again by a test I just did on my home router) Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Split DNS Setup
Jim Pingle wrote: Bruce Walker wrote: Oh! Here's a thought: I noticed that adding dns-forwarder overrides doesn't restart dnsmasq, so it doesn't necessarily see them. Either restart the service (from the Status - Services) or just click the Save button on the DNS Forwarder menu page. This should not be necessary. When you add an override, you click save on that screen, then apply changes on the main DNS forwarder screen. At that point, the overrides are already working (Confirmed again by a test I just did on my home router) Jim Yeah, I take that back. :-) I rechecked my notes, and what I really found is that when you add an override *domain*, dnsmasq isn't restarted by that action. You need to either Save on the DNS forwarder page or restart the service. dnsmasq needs to be restarted because the domain overrides are implemented by adding additional command line args (--server=/dom/ip) to dnsmasq. -bmw - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
