[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD 3.2 & DNS.



dns in one rule...
pass out on ne3 inet proto udp from any to any port = 53 keep state
currently you are passing the domain info in, but not out.. the redirect
rule must be getting blocked when the filter rules are
applied.. check your tcpdump for that...
but just use the above pass rule and you should be set
i would also suggest not allowing inbound port 53 to be open, because if
you don't setup your dns properly, you may allow domain transfers, which
means someone can grab your internal network setup... (but i digress)
scott
On Sun, 6 Apr 2003, Richard Gutery wrote:
> I hope someone can help me out with MS DNS behind BSD32. Although still
> somewhat a nebie, I've used OpenBSD as a firewall since 2.7 with great
> success.
>
> Synopsis (I've indented the relevant parts and left a brief description at
> the left columns:
>
> 	OpenBSD 3.2 dual NICs,
> 	Outside is xxx.xxx.xxx.xxx (NIC = ne3)
> 	Inside is  yyy.yyy.yyy.yyy   (NIC = vr0)
>
> Particial pf.conf entires follow.
>
> Firs NAT:
> 	nat on ne3 inet from yyy.yyy.yyy.0/24 to any -> ne3
>
> Redirections:
> 	rdr on ne3 proto { tcp, udp } from any to xxx.xxx.xxx.0/24 port 53
> -> \
> 	        yyy.yyy.yyy.250 port 53
>
> Blocked addreses are located here here:
> 	All the bad addresses are here,
>
> Servies allowed are located here:
> 	# DNS ???
> 	pass in quick on ne3 proto udp from any to any port 53 keep state
> 		# next line probably not needed, but stuck it in for
> testing...
> 	pass in quick on ne3 proto tcp from any to any port 53 flags S/SA
> keep state
>
> I then do an nslookup like so:
>
> 	FW1# nslookup 2knettrain.com
> 	*** Can't find server name for address 68.144.16.250: Non-existent
> host/domain
> 	Server:  ns3so.cg.shawcable.net
> 	Address:  24.71.223.144
>
> 	Name:    2knettrain.com
> 	Address:  68.144.16.250
>
> The first line is a mystery because it is a valid domain, with a valid host.
> I can perform nslookups inside but not from the outside. I know I'm missing
> something, but cannot seem to get my head around it. This all worked fine
> under BSD2.9, but I don't want to go back to an unsupported version.
>
> I have read every mailer and hint I can find and everything seems to be
> configured correctly. I have MS DNS configured on the inside, but cannot
> seem to resolve anything to it from the outside.
>
> What am I missing?
>
> Any help would be HUGELY appreciated.
>
> Thanks.
>
> Richard Gutery
>
>