[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: DNS & ipnat confusion
From: "James Moore" <jim () bokler ! com>
Date: 2000-04-27 1:08:38
[Download RAW message or body]
On 26 Apr 00,, Jefferson Ogata wrote:
> James Moore wrote:
> > There's one mystery I can't solve so far: hosts on the private LAN don't
get
> > DNS when the following rule is included (based on "ipfstat -hi"):
> >
> > "block in log quick on xl1 from any to 192.168.0.0/16"
> >
> > What I see at the console of the BSD box while DNS is being choked off is
> > something like the following:
> >
> > "ipmon[2612] (blah, blah) xl1@0:13 b 209.119.96.3 -> 192.168.1.5, 1207 PR
udp
> > len 20"
> >
> > I'm interpreting ipmon's message as follows: "ipfilter is dropping this UDP
> > packet from your ISP's DNS 'cause I've got a rule that says inbound packets
> > addressed to 192.168.0.0/16 don't get through."
> >
> > I agree! According to the rule it should be dropped. Where I'm confused is
why
> > it's addressed to 192.168.1.5 on port 1207. My ipnat rule is as follows:
> >
> > "map xl1 192.168.1.0/24 -> 208.xxx.xxx.x/32 portmap tcp/udp 10000:65000"
> >
> > Why isn't ipnat translating my dns request from 192.168.1.5 to my public
> > address with the DNS port number?, and why is the port number 1207 used
when
> > the prescribed range is 10,000 - 65,000?
> >
>
> You're seeing the traffic after it's been translated back to your private
> addresses.
OK - that being the case, I'm further confused on two points:
1) why is the port number 1207 rather than one in the range set by my
ipnat.rules (10,000 - 65,000)?
2) Since it's being blocked on the inbound side of the external (xl1)
interface, I don't understand why is it's being dropped... doesn't it come into
xl1 with the destination address of the external nic?
I'm sure I'm overlooking something fundamental. I thought the DNS response
would have come back into xl1 with a destination address of the external nic,
not the internal nic... where have I missed the boat?
> Are you using keep state on your DNS rule? If not, try something
> like the following:
>
> pass in on xl0 proto udp from 192.168.1.0/24 to any port = domain keep state
>
> For TCP queries (these happen too), you might also want:
>
> pass in on xl0 proto tcp from 192.168.1.0/24 to any port = domain flags S
keep
> state
>
> These should create reverse rules to allow return traffic any time one of
your
> machines sends outbound DNS queries. My guess is that currently you're just
> allowing the queries out without keeping state.
>
> Some people like to write these rules as "pass out on xl1 ..." YMMV.
>
Yep - this will work, I just want to clear up my flawed thinking and understand
why the other approach doesn't work.
Thanks,
James Moore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic