On 10/27/2017 05:44 PM, Rommel Rodriguez Toirac wrote: > Hello all; > here I send some configs and traces of my shorewall firewall. > I have been made some workaround, so maybe this is a little diferent to > the one that I send in the shorewall-dump.tar.gz; but still the problem > is present. > This are the situation. > Our networks are private. > (municipals network use provinces network services) > Some network that are outside of my office network use some service in > these; for example, my smtp service is used like pasarell for the email > service in this offices, they use mailboxes accessed with pop3 service, > they use the FTP server an use the jabber service that we serve. > (municipals offices have his own DNS and Domain) > Our municipals offices have his own DNS services and his Domain, > managent with the Windows 2008 Active Directory, so the resolution of > his PCs name and IP numbers are locally for they. > (IP address and PC names unknow) > In the municipal offices, the DNS service have a Forwarder configured, > for all PCs names or IP number unknow for they, to be send to my bind > server. The Forwarder IP number is the IP of the net (or internet) > interfaces in my shorewall config [172.16.120.1] This is with the > intention of configure all services in municipals netowrks using DNS > names and not IP numbers. For example, to access to my FTP server, use > ftp.gtm.onat.gob.cu and not a number. > (bind with views in my DMZ) > In the DMZ (provincial network) I have configured a DNS service with > bind using views listtening to the request of the municipals networks. > > When I point to ftp.gtm.onat.gob.cu from some PC in municipal network, > nothing happen, neather shorewall log the event. When I point to > 172.16.120.1 the connection is stablished with no problems. Nothing that > I try to access with PC or alias names of my network is success, > everything must be done with IP address. > Nevertheless, I made a test with nslookup from a PC in a municipal > network and this is the answer: > > ###nslookup from gtm08 > C:\Users\Administrador>nslookup > Servidor predeterminado: gtm08.cai.gtm.onat.gob.cu > Address: 172.16.123.11 > >> gtmem > Servidor: gtm08.cai.gtm.onat.gob.cu > Address: 172.16.123.11 > > Respuesta no autoritativa: > Nombre: gtmem.gtm.onat.gob.cu > Address: 192.168.14.4 > >> mail.gtm.onat.gob.cu > Servidor: gtm08.cai.gtm.onat.gob.cu > Address: 172.16.123.11 > > Respuesta no autoritativa: > Nombre: gtmem.gtm.onat.gob.cu > Address: 192.168.14.4 > Aliases: mail.gtm.onat.gob.cu > > > What I made wrong? Where is my mistake? Shorewall or bind or Windows > 2008 DNS config? Why is impossible to uses PC names or alias in services > access from outside my network?
Your DNS server is returning *private* (RFC1918) addresses to systems in the Municipal Network. To those systems, it must return the public IP address of your firewall. This is addressed by using split DNS -- let your DMZ server handle local clients and let your DMZ server handle external clients. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
