[Shorewall-users] DNS Errors. Yes I know, not another DNS question...

Tom Eastep teastep at shorewall.net
Tue, 24 Sep 2002 06:52:57 -0700


Karen Barnes wrote:
> 1st I will mention that I have created my own common file using your 
> common.def. I simply added this line as instructed in other posts I have 
> found in this list:
> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP

This rule is for DNS replies -- your problem is DNS requests.

> I am currently using two ethernet cards and a total of 3 IPs. With that 
> said here is my interfaces:
> <--snip-->
> /etc/shorewall/interfaces
> net eth1, 
> routefilter,noping,blacklist,routestopped
> loc eth2, 
> routefilter,noping,blacklist,routestopped
> <--snip-->
> Now before you go crazy let me explain why things are configured like 
> they are above. My nic cards are configured for failover. If one fails 
> the other takes over. So basically eth1 and eth2 are the same.

So both eth1 and eth2 are connected to the same switch/hub? If so, then 
they should be in the same zone since 'net' and 'loc' make no sense in 
that case.

> Sometimes 
> one IP will respond on eth1 and sometimes on eth2. So why is there a 
> ""? The ONLY reason is that we have a managed switch and we 
> don't want the switch sitting out on the public network for anyone to 
> just try and hack. So the switch is configured with the "" 
> for example. This allows us to keep the switch off the net and at the 
> same time allow us to manage it internally. Yes it is password 
> protected, but we're hoping this extra step will make it more secure.


> <--snip-->
> /etc/shorewall/policy
> fw  all ACCEPT
> loc net ACCEPT
> net all DROP info
> all all REJECT info
> <--snip-->
> <--snip-->
> /etc/shorewall/rules
> ACCEPT   net:  fw    all
> ACCEPT   net:   fw    all
> ACCEPT   loc:  fw    all
> ACCEPT   loc:   fw    all
> ### I added all the following after reading posts - didn't help
> ACCEPT   fw                     net   udp  53
> ACCEPT   fw                     net   tcp  53
> ACCEPT   fw                     loc   udp  53
> ACCEPT   fw                     loc   tcp  53
> ACCEPT   net                    fw    udp  53
> ACCEPT   loc                    fw    udp  53
> <--snip-->
> These are other machines in our network. I added all those "udp" and 
> port 53 lines based on messages I have read from the mailing list. 
> Believe me I've tried everything except the "right" thing obviously.

Well, the last rule SHOULD have prevented the messages you are seeing.

> I don't know why this has to be so difficult. If you're going to use DNS 
> I don't see why there can't be some simple rule for DNS like (accept dns 
> myip) or (accept dns isp's-ip) and then all the necessary udp, tcp and 
> xyz's will be handled. I'm completely lost with all these terms, 
> forward, udp, route from the fw to the loc back out to the net and so on...

Possibly you should look at the other firewall scripts available. Some of 
them undoubtedly take that approach since it's more intuitive (but not 
particularly flexible).

> At this moment this machine is not to be accessible by the public except 
> were needed like this DNS stuff that seems to log millions of lines a 
> day. We are currently testing software for clients (yes we write 
> software). At times we will make the server accessible to our clients so 
> we will add those rules when needed.
> This machine is NOT a masqurading server. It is a standalone.


a) "shorewall restart"
b) Try to access the DNS server on the system and generate some of the log 
messages as you originally posted.
c) "shorewall status > /tmp/status"
d) Send me the /tmp/status file.

In the long run, if you stay with Shorewall you will want to eliminate one 
of your zones as I mentioned above.

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net