bind - firewalling

Chad M. Stewart Chad at Amotken.com
Tue Jul 24 16:02:04 UTC 2001 

At 09:20 AM 07/24/2001, Wilhelm Grundner wrote:


>hello,
>
>this might not be a bind-problem, but i'll
>try my luck anyway since it's affecting my dns.
>
>here's my config:
>
>nameserver:
>
>         linux redhat 6.2
>         kernel-2.2.16-3
>         bind-8.2.3-0.6.x
>
>firewall:
>
>         linux redhat 6.2
>         kernel-2.2.16-5
>         ipchains-1.3.9-5
>
>here's my problem - which does not occur
>regulary - only sometimes:
>
>dns with the locally managed zones works fine.
>
>but as soon as i query another nameserver outside
>our company - 'course i have to go thru a firewall
>for this - the ip-address of my nameserver gets
>translated to the inside-interface of the firewall
>instead of the outside-interface of the firewall

I've got nearly the same setup and things work just fine for me.

Firewall - RHL-Sparc 6.2 using ipchains
Nameserver - RHL-x86 6.2

Based on your comments above about the lack of MASQ happening on your 
firewall, sounds like your ipchains settings are not right for your 
environment.  Maybe MASQ is not supposed to happen, depends on your IP network.

Suggestions: you might find either http://packetfilter.amotken.com/ or 
http://fwup.org/ helpful to configure IPChains correctly.  You could also 
try the IPChains mailing list for help.  I host the list right now and a 
while ago there were some very good technical people 
contributing.  Directions for the mailing list can be found from the first 
link above.


Regards,
Chad



>and so there's no way back for the ip-packet (the
>firewall-config has been checked and can be considered ok).
>
>the reason why i suspect that the bind-sw could
>have something to do with it is, that the firewall-sw
>'ipchains' did have troubles with the sender-port 53.
>
>when we changed the source-port >1023 it worked out fine
>but only until yesterday. and since then we have a major
>problem - as you can imagine.
>
>i'm fully aware that it's most likely the firewall's-sw
>problem, but i thought that other folks might have
>stumbled over the same problem.
>
>any help would be greatly appreciated
>
>
>Best regards
>Wilhelm Grundner
>
>T-Systems
>debis Systemhaus Oesterreich GmbH
>Communication Platforms
>Hofmuehlgasse 3-5, A-1060 Wien
>Phone: +43 1 59903 4390
>Fax:   +43 1 59903 4399
>E-Mail: wilhelm.grundner at t-systems.at
>Internet: http://www.t-systems.at
>_____________________________________________________________________

More information about the bind-users mailing list