Hi Rodney,
The dnsinfo.C file is *VERY* particular about the formatting etc.
1) DO NOT USE NOTEPAD TO EDIT THIS FILE. Use DOS edit or vi or something
else!
2) Ensure that the file is called "dnsinfo.C" ie it is case sensitive.
3) It's best to fwstop the firewall management before making changes and
fwstart once the changes are complete. You could pre-author the file and
fwstop;copy;fwstart. If this is the same machine as your firewall module
then this will stop your firewall. You only need to make this change at the
machine that is your firewall management server as it is compiled and then
deployed to your firewall module. ie you will need to reload your fwgui and
redeploy the rulebase.
4) The formatting of your dnsinfo.C file should be:
(
:dns_servers (
: (kramer.firewall
:obj (
: (10.1.100.100)
)
:topology (
: (
:ipaddr (10.1.0.0)
:ipmask (255.255.0.0)
)
)
:domain (
: (
:dns_label_count (4)
:domain (velcro.com)
)
)
)
:encrypt_dns (true)
)
5) The label kramer.firewall are the names of your objects that you have
defined in the rulebase, kramer is your PDC and firewall is your firewall
object.
6) Modify your crypt.def file and put
#define ENCDNS
before define USERC_DECRYPT_SRC {
Once again the same rules apply about modifying this file as the dnsinfo.C
file - DON'T use Notepad and fwstop your firewall management first before
applying this change.
7) If you are using SR 4.1 (I think...) then ensure that you have
:active_resolver (true) in your userc.C file otherwise you'll need to add
the
:dns_xlate (true)
:dns_encrypt (true)
8)You will need to insert a rule (near the top of the rulebase)
Src->RemoteUserGroup@Any
Dst->YourInternalNetworks
Service->DNS
Action->ClientEncrypt
9) If you dont see a dnsinfo section populated in your userc.C file, then
you are likely to have misconfigured something in the above steps.
Cheers
Greg
email: [EMAIL PROTECTED] web: http://www.securit.co.nz/
__________________________________________________________
Please Note: This e-mail is only intended to be read by the named recipient.
It may contain information that is confidential, proprietary or the subject
of legal privilege. If you are not the intended recipient, you must delete
this e-mail and may not use any information contained in it. Legal privilege
is not waived because you have read this e-mail. All content is to be
treated as confidential unless otherwise specified, and is not to be
forwarded to third parties without prior permission by the author. To do so
is a clear breach of the New Zealand Privacy Act.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Rodney Lacroix
Sent: 15 September 2000 7:29 a.m.
To: [EMAIL PROTECTED]
Subject: [FW1] Split DNS with SecuRemote and 4.1 does not work even a
little
I'm going bald trying to get this to work.
I have been trying to go over the split DNS configuration on my firewall
(4.1/ SP2), and cannot get it to work. Per the documentation I've found on
this mailing list and on Phoneboy, I've done the following:
1) Created a dnsinfo.C file in the $FWDIR/conf directory on the firewall
(the Management module and firewall are one and the same)
2) Edited the userc.C file on the SecuRemote client.
Here's what I get:
The userc.c file looks no different when I update the site from SecuRemote.
I'm not sure what it's supposed to look like, or what it's supposed to
download.
I can only ping my DNS server, nothing defined as a host on the DNS server.
My dnsinfo.C looks like this:
(
:dns_servers (
: (kramer.firewall
:obj (
: (10.1.100.100)
)
:topology (
: (
:ipaddr (10.1.0.0)
:ipmask (255.255.0.0)
)
)
...etc., etc. per the instructions and addendums.
Questions: what is the significance of the dns_svr_name.fw_name fields, and
where is it getting this information? Does the DNS server need to be
identified as a workstation object on the firewall with that name? Are
there any specific settings in the rulebase (either implied or otherwise)
that need to be set to make this work?
I've even tried the "disable MD5" setting, and still nothing. I see
"nbname" packets going to my DNS server, but my DNS server shows no requests
being made to it.
Any help is greatly appreciated.
Rodney Lacroix
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
