On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote:
Adriaan wrote:
> On 7/15/07, Braden Mailloux <[EMAIL PROTECTED]> wrote:
>
>> Dear Readers;
>>
>> I've been using the log feature of pf and have found that, when
>> attempting to access my webserver via dns, that pf does not block any
>> traffic. I also added a log to my "block in quick from urpf-failed" and
>> that has returned no hits in the log.
>
> The time that I had a similar issue, where tcpdump on pflog0 didn't
> show anything, turned out to be a routing issue.
> I had a authoritative-only nameserver in a DMZ and forgot to set it's
> default route to the IP address of the DMZ NIC of the OBSD firewall.
> It didn't know how to route ihe replies to the outside and hence
> nothing showed up on pflog0.
>
> tcpdump is not limited to pflog0, you also can run it on a normal
> interface. ;)
>
> SSH in on the nameserver and run tcpdump on it's NIC
> tcpdump -ni fxp0 port domain
>
> Check if you see a DNS request coming in
>
> =Adriaan=
>
>
>
Dear Readers;
My nameserver's default route is set to the ip address of the DMZ nic.
Also, when attempting to access my webserver via DNS from another site,
no DNS queries came through to my server while monitoring the dump
information on rl0 (my nameserver's nic).
Does tcpdump on the external NIC of your OpenBSD firewall show any DNS
requests coming in?
Doing a A record seach for www.theamericanbray.com at
http://www.squish.net/dnscheck/
gives the following result:
50.0% of queries will end in failure at 64.142.102.9
(a.ns.theamericanbray.com) - query timed out
50.0% of queries will end in failure at 64.142.102.10
(b.ns.theamericanbray.com) - query timed out
Keep in mind that you have to perform test from the outside as
described in http://openbsd.unixtech.be/faq/pf/rdr.html#reflect
Did you do the tests suggested in the section "Checking addresses of
your computers" of
http://cr.yp.to/djbdns/run-server.html ?
=Adriaan=
