rndc across stateful firewall

Scott Taylor staylor at coloradomusic.com
Wed Apr 4 21:22:08 UTC 2001


I am trying to use rndc on a machine in our internal network to reload a
machine in our DMZ segment across a Cisco PIX firewall. It looks at
first glance like the very first reply packet from the rndc server sets
the reset flag at which point the firewall closes the connection.

%PIX-6-302001: Built outbound TCP connection 7872462 for faddr
10.0.141.4/953 gaddr 10.0.240.83/32951 laddr 10.0.240.83/32951
%PIX-6-302002: Teardown TCP connection 7872462 faddr 10.0.141.4/953
gaddr 10.0.240.83/32951 laddr 10.0.240.83/32951 duration 0:00:01 bytes 8
(TCP Reset-O)
%PIX-6-106015: Deny TCP (no connection) from 10.0.141.4/953 to
10.0.240.83/32951 flags RST ACK  on interface inside

Here is an example of another service that connects between these
machines just fine.
%PIX-6-302001: Built outbound TCP connection 7880170 for faddr
10.0.141.4/22 gaddr 10.0.240.83/32952 laddr 10.0.240.83/32952
%PIX-6-302002: Teardown TCP connection 7880170 faddr 10.0.141.4/22 gaddr
10.0.240.83/32952 laddr 10.0.240.83/32952 duration 0:00:01 bytes 18387
(TCP FINs)

All machines here are using bind 9.1.1

Has anyone else seen this problem? Is the ndc listener just not
performing tcp handshaking by the book?



More information about the bind-users mailing list