[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD 3.2 & DNS.

You may also want to add:
pass out on ne3 inet proto tcp from any to any port = 53 modulate state
It is rare that named will require TCP to transfer data from large domains, but it does happen and without this rule you will get strange fails in an otherwise perfectly working DNS from time to time.

siivv wrote:
dns in one rule...
pass out on ne3 inet proto udp from any to any port = 53 keep state
currently you are passing the domain info in, but not out.. the redirect
rule must be getting blocked when the filter rules are
applied.. check your tcpdump for that...
but just use the above pass rule and you should be set
i would also suggest not allowing inbound port 53 to be open, because if
you don't setup your dns properly, you may allow domain transfers, which
means someone can grab your internal network setup... (but i digress)
On Sun, 6 Apr 2003, Richard Gutery wrote:
I hope someone can help me out with MS DNS behind BSD32. Although still
somewhat a nebie, I've used OpenBSD as a firewall since 2.7 with great
Synopsis (I've indented the relevant parts and left a brief description at
the left columns:
	OpenBSD 3.2 dual NICs,
	Outside is xxx.xxx.xxx.xxx (NIC = ne3)
	Inside is  yyy.yyy.yyy.yyy   (NIC = vr0)
Particial pf.conf entires follow.
Firs NAT:
	nat on ne3 inet from yyy.yyy.yyy.0/24 to any -> ne3
	rdr on ne3 proto { tcp, udp } from any to xxx.xxx.xxx.0/24 port 53
-> \
	        yyy.yyy.yyy.250 port 53
Blocked addreses are located here here:
	All the bad addresses are here,
Servies allowed are located here:
	# DNS ???
	pass in quick on ne3 proto udp from any to any port 53 keep state
		# next line probably not needed, but stuck it in for
	pass in quick on ne3 proto tcp from any to any port 53 flags S/SA
keep state
I then do an nslookup like so:
	FW1# nslookup 2knettrain.com
	*** Can't find server name for address Non-existent
	Server:  ns3so.cg.shawcable.net
	Name:    2knettrain.com
The first line is a mystery because it is a valid domain, with a valid host.
I can perform nslookups inside but not from the outside. I know I'm missing
something, but cannot seem to get my head around it. This all worked fine
under BSD2.9, but I don't want to go back to an unsupported version.
I have read every mailer and hint I can find and everything seems to be
configured correctly. I have MS DNS configured on the inside, but cannot
seem to resolve anything to it from the outside.
What am I missing?
Any help would be HUGELY appreciated.
Richard Gutery