[Shorewall-users] DNS Errors. Yes I know, not another DNS question...
teastep at shorewall.net
Tue, 24 Sep 2002 06:52:57 -0700
Karen Barnes wrote:
> 1st I will mention that I have created my own common file using your
> common.def. I simply added this line as instructed in other posts I have
> found in this list:
> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
This rule is for DNS replies -- your problem is DNS requests.
> I am currently using two ethernet cards and a total of 3 IPs. With that
> said here is my interfaces:
> net eth1 22.214.171.124,192.168.0.255
> loc eth2 126.96.36.199,192.168.0.255
> Now before you go crazy let me explain why things are configured like
> they are above. My nic cards are configured for failover. If one fails
> the other takes over. So basically eth1 and eth2 are the same.
So both eth1 and eth2 are connected to the same switch/hub? If so, then
they should be in the same zone since 'net' and 'loc' make no sense in
> one IP will respond on eth1 and sometimes on eth2. So why is there a
> "192.168.0.255"? The ONLY reason is that we have a managed switch and we
> don't want the switch sitting out on the public network for anyone to
> just try and hack. So the switch is configured with the "192.168.0.2"
> for example. This allows us to keep the switch off the net and at the
> same time allow us to manage it internally. Yes it is password
> protected, but we're hoping this extra step will make it more secure.
> fw all ACCEPT
> loc net ACCEPT
> net all DROP info
> all all REJECT info
> ACCEPT net:188.8.131.52/29 fw all
> ACCEPT net:184.108.40.206/28 fw all
> ACCEPT loc:220.127.116.11/29 fw all
> ACCEPT loc:18.104.22.168/28 fw all
> ### I added all the following after reading posts - didn't help
> ACCEPT fw net udp 53
> ACCEPT fw net tcp 53
> ACCEPT fw loc udp 53
> ACCEPT fw loc tcp 53
> ACCEPT net fw udp 53
> ACCEPT loc fw udp 53
> These are other machines in our network. I added all those "udp" and
> port 53 lines based on messages I have read from the mailing list.
> Believe me I've tried everything except the "right" thing obviously.
Well, the last rule SHOULD have prevented the messages you are seeing.
> I don't know why this has to be so difficult. If you're going to use DNS
> I don't see why there can't be some simple rule for DNS like (accept dns
> myip) or (accept dns isp's-ip) and then all the necessary udp, tcp and
> xyz's will be handled. I'm completely lost with all these terms,
> forward, udp, route from the fw to the loc back out to the net and so on...
Possibly you should look at the other firewall scripts available. Some of
them undoubtedly take that approach since it's more intuitive (but not
> At this moment this machine is not to be accessible by the public except
> were needed like this DNS stuff that seems to log millions of lines a
> day. We are currently testing software for clients (yes we write
> software). At times we will make the server accessible to our clients so
> we will add those rules when needed.
> This machine is NOT a masqurading server. It is a standalone.
a) "shorewall restart"
b) Try to access the DNS server on the system and generate some of the log
messages as you originally posted.
c) "shorewall status > /tmp/status"
d) Send me the /tmp/status file.
In the long run, if you stay with Shorewall you will want to eliminate one
of your zones as I mentioned above.
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org