The situation has improved a bit. The main symptom now seems to be that the command netstat -an | grep 53 yields udp 0 0 0.0.0.0:53 0.0.0.0:* so it does not look like the internal iface (192.168.1.254) is being bound to port 53.
ps grep dnscache yields 1026 daemon S /usr/bin/dnscache Any thing special to set up the binding for dns? This is the stock Dachstein RC2, except for changes mentioned below. Thanks to all for help so far. I have fixed one of the vexation by the time-proven method: "When configuration won't work start replacing components" . I began with the natsemi.o module, which had given me trouble on my previous firewall incarnation - Dach-pppoe. THis time around, I was getting good traffic through the external i/f so I assumed the driver was fine. When I replaced the driver module (for my FA311 boards) with a newer natsemi.o, which I had compiled in Dec. 2001 (found it on a floppy), backed up the ram disk & rebooted, now all is working -- internal + external. But *only* for 192.168.1.1. A second windoze box (gets 192.168.1.2) is configured exactly as the first, but can't pass traffic. Tried pinging an IP addr, and it times out. dmesg outputs a lot of identical lines like: Packet log: input DENY eth0 PROTO=17 10.1.20.1:67 255.255.255.255:68 L=328 S=0x0 I=414nn F=0x000 T=255 (#8) I am running with a hand-configured DNS on the win2k, but I will try to let the firewall serve up DNS.. If not, a newer version of Dach might be in order. Brad Fritz wrote: > On 2002-07-22 at 15:48 Dr. Richard W. Tibbs wrote: > > >>I booted up using a vanilla Dachstein RC2 floppy ( a little old, >>I know) and everything on the firewall seems fine: >> > > Assuming you mean Dachstein-PR2, is there a reason you are using > a pre-release version of Dachstein? There were bugs in it that > were fixed in later releases[1]. IIRC, the way dnscache was setup > was changed too; /etc/dnscache.conf was eliminated in favor of the > /etc/dnscache/env directory. It's been awhile, and I don't remember > the specifics, but think there were functional changes in the way > dnscache was setup too. > > On Tue, 23 Jul 2002 20:07:28 EDT Dr. Richard W. Tibbs wrote: > > >>>Which package are you using? JNilo's doesn't contain any >>>/etc/dnscache.conf; rather, it looks like Erich's table (below). >>> > > Is it the stock Dachstein RC2 dnscache? > > >>>I remain convinced that something is not configured properly with >>>dnscache and/or it is *not* actually running . . . >>> >>> >>This is my guess since nslookup from the win2k box times out. >> > > Since this is dachstein (with netstat included), what does > > netstat -an | grep 53 > > say? You should see (at least) a match for udp port 53 on > 192.168.1.254 like this: > > udp 0 0 192.168.1.254:53 0.0.0.0:* > > If not, what does > > ps | grep [d]nscache > > say? There should be a match for /usr/bin/dnscache , probably > running as the user "dnscache". On my Dachstein-CD box, the > process is: > > 1002 dnscache S /usr/bin/dnscache > > If dnscache is running and bound to 192.168.1.254:53, you might > try setting "nameserver 192.168.1.254" in /etc/resolv.conf on > the firewall and verify that name resolution on the firewall > still works. (Try pinging an internet host by name.) If it > doesn't, either dnscache is not setup correctly or maybe > something is blocking name requests to the root servers upstream, > although that seems unlikely. I'd also recommend using a newer > version of Dachstein if you don't have a reason for using the > pre-release. > > --Brad > > [1] http://leaf.sourceforge.net/devel/cstein/files/diskimages/dachstein/changes.txt > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
