News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: named running on Server behind M0n0wall
Pages: [1]
Topic: named running on Server behind M0n0wall  (Read 2343 times)
« on: May 24, 2008, 17:44:38 »
Snyke *
Posts: 3
Hi all, I have a running server that provides all the services I'm hosting and I'm right now putting a m0n0wall box in front of it.
I thought that I'd just take the m0n0wall and make a simple NAT rule mapping all ports from 1-1024 to the existing server, and it seems to be working nicely with most of the services work just fine (httpd, email, ...) but the name server that takes care of some domains just doesn't seem to work at all. Also I can't ping any of the public IP-Addresses.
Any idea?
« Reply #1 on: May 24, 2008, 19:45:55 »
knightmb ****
Posts: 341
Need more details about your setup?
Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #2 on: May 24, 2008, 20:03:06 »
Fred Grayson *****
Posts: 994
Maybe I'm missing something here, but opening a range of ports like that really isn't a good idea. Why place a firewall in front of something and then open all the privileged ports?

Anyway, are you frowarding TCP/UDP or just TCP? Most DNS queries are UDP.
« Last Edit: May 24, 2008, 21:20:11 by fredg »
--
Google is your friend and Bob's your uncle.
« Reply #3 on: May 24, 2008, 21:19:49 »
Snyke *
Posts: 3
Well it was mainly a test setup to see if I can get things working, later I'd restrict the port ranges to match my services. So here goes my setup:
Code:
<?xml version="1.0"?>
<m0n0wall>
    <version>1.8</version>
    <lastchange>1211645438</lastchange>
    <system>
        <hostname>miller</hostname>
        <domain>xxx.ch</domain>
        <username>admin</username>
        <password>xxxxx</password>
        <timezone>Etc/UTC</timezone>
        <time-update-interval>300</time-update-interval>
        <timeservers>swisstime.ethz.ch</timeservers>
        <webgui>
            <protocol>https</protocol>
            <port>8888</port>
            <certificate/>
            <private-key/>
            <expanddiags/>
        </webgui>
        <dnsserver>x.x.x.x</dnsserver>
        <dnsserver>x.x.x.x</dnsserver>
    </system>
    <interfaces>
        <lan>
            <if>vr0</if>
            <ipaddr>192.168.2.1</ipaddr>
            <subnet>24</subnet>
            <media/>
            <mediaopt/>
        </lan>
        <wan>
            <if>vr1</if>
            <media/>
            <mediaopt/>
            <spoofmac/>
            <ipaddr>x.x.x.x</ipaddr>
            <subnet>29</subnet>
            <gateway>x.x.x.x</gateway>
        </wan>
        <opt1>
            <descr>OPT1</descr>
            <if>vr2</if>
            <ipaddr>192.168.3.1</ipaddr>
            <subnet>24</subnet>
            <bridge/>
            <enable/>
        </opt1>
    </interfaces>
    <staticroutes/>
    <pppoe/>
    <pptp/>
    <bigpond/>
    <dyndns>
        <type>dyndns</type>
        <username/>
        <password/>
        <host/>
        <mx/>
        <server/>
        <port/>
    </dyndns>
    <dnsupdate/>
    <dhcpd>
        <lan>
            <range>
                <from>192.168.1.100</from>
                <to>192.168.1.199</to>
            </range>
            <defaultleasetime/>
            <maxleasetime/>
            <next-server/>
            <filename/>
        </lan>
    </dhcpd>
    <pptpd>
        <mode/>
        <nunits>16</nunits>
        <redir/>
        <localip/>
        <remoteip/>
    </pptpd>
    <dnsmasq/>
    <snmpd>
        <syslocation/>
        <syscontact/>
        <rocommunity>public</rocommunity>
    </snmpd>
    <diag>
        <ipv6nat>
            <ipaddr/>
        </ipv6nat>
    </diag>
    <bridge/>
    <syslog>
        <reverse/>
        <nentries>50</nentries>
        <remoteserver/>
    </syslog>
    <nat>
        <rule>
            <external-address>x.x.x.x</external-address>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <external-address>x.x.x.x</external-address>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <external-address>x.x.x.x</external-address>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <servernat>
            <ipaddr>x.x.x.x</ipaddr>
            <descr/>
        </servernat>
        <servernat>
            <ipaddr>x.x.x.x</ipaddr>
            <descr/>
        </servernat>
        <servernat>
            <ipaddr>x.x.x.x</ipaddr>
            <descr/>
        </servernat>
    </nat>
    <filter>
        <rule>
            <type>pass</type>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <descr>NAT </descr>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default LAN -&gt; any</descr>
            <interface>lan</interface>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <rule>
            <type>pass</type>
            <descr>Default IPsec VPN</descr>
            <interface>ipsec</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <tcpidletimeout/>
    </filter>
    <shaper>
        <enable/>
        <pipe>
            <bandwidth>4096</bandwidth>
            <descr>Full</descr>
        </pipe>
        <pipe>
            <bandwidth>2048</bandwidth>
            <descr>Half</descr>
        </pipe>
        <queue>
            <targetpipe>0</targetpipe>
            <weight>1</weight>
            <descr>Full speed</descr>
        </queue>
        <rule>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
                <port>1-1024</port>
            </destination>
            <direction>out</direction>
            <iplen/>
            <iptos/>
            <tcpflags/>
            <descr>Full Linux Services (outgoing)</descr>
            <targetqueue>0</targetqueue>
        </rule>
        <rule>
            <interface>wan</interface>
            <source>
                <any/>
                <port>1-1024</port>
            </source>
            <destination>
                <any/>
            </destination>
            <direction>in</direction>
            <iplen/>
            <iptos/>
            <tcpflags/>
            <descr>Full Linux Services (incoming)</descr>
            <targetpipe>0</targetpipe>
        </rule>
        <rule>
            <interface>wan</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
            <direction/>
            <iplen/>
            <iptos/>
            <tcpflags/>
            <descr>Squash everything</descr>
            <targetpipe>1</targetpipe>
        </rule>
    </shaper>
    <ipsec>
        <dns-interval/>
    </ipsec>
    <aliases/>
    <proxyarp>
        <proxyarpnet>
            <interface>wan</interface>
            <network>x.x.x.x/32</network>
            <descr>NAT </descr>
        </proxyarpnet>
        <proxyarpnet>
            <interface>wan</interface>
            <network>x.x.x.x/32</network>
            <descr/>
        </proxyarpnet>
        <proxyarpnet>
            <interface>wan</interface>
            <network>x.x.x.x/32</network>
            <descr/>
        </proxyarpnet>
    </proxyarp>
    <wol/>
</m0n0wall>
Hoping that I removed all sensitive data.
« Reply #4 on: May 24, 2008, 22:57:19 »
knightmb ****
Posts: 341
Ok, cool.

So how is the name server setup in relation to the rest of the network (diagram would be helpful)

So far I see:

Internet -> m0n0wall -> Server

So how does the DNS server fit into all of that? Does your m0n0wall handle multiple WAN address and point them all the server?
Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #5 on: May 25, 2008, 01:49:39 »
Fred Grayson *****
Posts: 994
In this section you have the same rule more than once. Why?

<nat>
        <rule>
            <external-address>x.x.x.x</external-address>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <external-address>x.x.x.x</external-address>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <external-address>x.x.x.x</external-address>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
        <rule>
            <protocol>tcp/udp</protocol>
            <external-port>1-1024</external-port>
            <target>192.168.2.2</target>
            <local-port>1</local-port>
            <interface>wan</interface>
            <descr/>
        </rule>
--
Google is your friend and Bob's your uncle.
« Reply #6 on: May 25, 2008, 10:57:18 »
Snyke *
Posts: 3
Ok, I;m starting to wonder wether my named configuration is all right. I fixed some minor things with the m0n0wall configuration which now reads as follows:

NAT:
Forward all ports 1-1024 on the main WAN interface to 192.168.2.2 (my old server)
The above rule repeated for the 3 server nat IPs

Rules:
Pass all UDP traffic with destination port 53
Pass all UDP traffic with source port 53
Drop everything else

I have the first IP in the range as my main IP (x.x.x.178) and the others (x.x.x.179, x.x.x.181 and x.x.x.182) as server NATs. The DNS record points to x.x.x.181
The really ugly thing is that I can't even ping the server from itself...

Checking /var/log/messages on the server however I see some incoming emails, strange...
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines