[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: DNS & ipnat confusion
From:       "James Moore" <jim () bokler ! com>
Date:       2000-04-27 1:08:38
[Download RAW message or body]

On 26 Apr 00,, Jefferson Ogata wrote: 
> James Moore wrote: 
> > There's one mystery I can't solve so far: hosts on the private LAN don't 
get 
> > DNS when the following rule is included (based on "ipfstat -hi"): 
> >  
> > "block in log quick on xl1 from any to 192.168.0.0/16" 
> >  
> > What I see at the console of the BSD box while DNS is being choked off is 
> > something like the following: 
> >  
> > "ipmon[2612] (blah, blah) xl1@0:13 b 209.119.96.3 -> 192.168.1.5, 1207 PR 
udp 
> > len 20" 
> >  
> > I'm interpreting ipmon's message as follows: "ipfilter is dropping this UDP 
> > packet from your ISP's DNS 'cause I've got a rule that says inbound packets 
> > addressed to 192.168.0.0/16 don't get through." 
> >  
> > I agree! According to the rule it should be dropped. Where I'm confused is 
why 
> > it's addressed to 192.168.1.5 on port 1207. My ipnat rule is as follows: 
> >  
> > "map xl1 192.168.1.0/24 -> 208.xxx.xxx.x/32 portmap tcp/udp 10000:65000" 
> >  
> > Why isn't ipnat translating my dns request from 192.168.1.5 to my public 
> > address with the DNS port number?, and why is the port number 1207 used 
when 
> > the prescribed range is 10,000 - 65,000? 
> >  
>  
> You're seeing the traffic after it's been translated back to your private 
> addresses.  

OK - that being the case, I'm further confused on two points: 

1) why is the port number 1207 rather than one in the range set by my  
ipnat.rules (10,000 - 65,000)? 

2) Since it's being blocked on the inbound side of the external (xl1)  
interface, I don't understand why is it's being dropped... doesn't it come into 
 xl1 with the destination address of the external nic?  

I'm sure I'm overlooking something fundamental. I thought the DNS response  
would have come back into xl1 with a destination address of the external nic,  
not the internal nic... where have I missed the boat?  

> Are you using keep state on your DNS rule? If not, try something 
> like the following: 
>  
> pass in on xl0 proto udp from 192.168.1.0/24 to any port = domain keep state 
>  
> For TCP queries (these happen too), you might also want: 
>  
> pass in on xl0 proto tcp from 192.168.1.0/24 to any port = domain flags S 
keep 
> state 
>  
> These should create reverse rules to allow return traffic any time one of 
your 
> machines sends outbound DNS queries. My guess is that currently you're just 
> allowing the queries out without keeping state. 
>  
> Some people like to write these rules as "pass out on xl1 ..." YMMV. 
>  

Yep - this will work, I just want to clear up my flawed thinking and understand 
 why the other approach doesn't work. 

Thanks, 
James Moore 

[prev in list] [next in list] [prev in thread] [next in thread]