On Wed, 24 Jul 2002 11:42:17 EDT Dr. Richard W. Tibbs wrote:
> The situation has improved a bit. > The main symptom now seems to be that > the command netstat -an | grep 53 yields > udp 0 0 0.0.0.0:53 0.0.0.0:* > so it does not look like the internal iface (192.168.1.254) is being > bound to port 53. 0.0.0.0 means it's bound to all interfaces, here eth0 and eth1. The change to bind to only 192.168.1.254 was made in later versions of Dachstein. IIRC, the default firewall rules prevent connections on the eth0 side. If that's the case it's not really anything to worry about. Newer setups also tell dnscache to only reply from queries from 192.168.*.* (with the IPQUERY variable), but based on your dnscache.conf file, I don't think your version does that. If you want to change it to bind only to the internal interface change the "IP=0.0.0.0" line to "IP=192.168.1.254" in /etc/dnscache.conf. But again, it should be fine as-is the problem likely lies elsewhere. > ps grep dnscache yields > 1026 daemon S /usr/bin/dnscache That's fine. Typical for a Dachstein-PR2 install, I'm pretty sure. > Any thing special to set up the binding for dns? This is the stock > Dachstein RC2, except for changes mentioned below. Should be okay as-is, but see the comment above about the "IP" variable if you want to change it. > Thanks to all for help so far. I have fixed one of the vexation by the > time-proven method: > "When configuration won't work start replacing components" . > I began with the natsemi.o module, which had given me trouble on my > previous firewall incarnation - Dach-pppoe. > > THis time around, I was getting good traffic through the external i/f so > I assumed the driver was fine. When I replaced the driver module (for > my FA311 boards) with a newer natsemi.o, which I had compiled in Dec. > 2001 (found it on a floppy), backed up the ram disk & rebooted, now all > is working -- internal + external. But *only* for 192.168.1.1. A > second windoze box (gets 192.168.1.2) is configured exactly as the > first, but can't pass traffic. Tried pinging an IP addr, and it times out. Can 192.168.1.2 ping 192.168.1.254? Can 192.168.1.1 use 192.168.1.254 for DNS resolution? Seems the focus on dnscache is probably unwarranted; there are more fundamental problems to fix first. > dmesg outputs a lot of identical lines like: > Packet log: input DENY eth0 PROTO=17 10.1.20.1:67 255.255.255.255:68 > L=328 S=0x0 I=414nn F=0x000 T=255 (#8) Nothing to worry about. Just a host on the eth0 side broadcasting for a DHCP lease. > I am running with a hand-configured DNS on the win2k, but I will try to > let the firewall serve up DNS.. > If not, a newer version of Dach might be in order. Agreed. --Brad > > Brad Fritz wrote: > > > On 2002-07-22 at 15:48 Dr. Richard W. Tibbs wrote: > > > > > >>I booted up using a vanilla Dachstein RC2 floppy ( a little old, > >>I know) and everything on the firewall seems fine: > >> > > > > Assuming you mean Dachstein-PR2, is there a reason you are using > > a pre-release version of Dachstein? There were bugs in it that > > were fixed in later releases[1]. IIRC, the way dnscache was setup > > was changed too; /etc/dnscache.conf was eliminated in favor of the > > /etc/dnscache/env directory. It's been awhile, and I don't remember > > the specifics, but think there were functional changes in the way > > dnscache was setup too. > > > > On Tue, 23 Jul 2002 20:07:28 EDT Dr. Richard W. Tibbs wrote: > > > > > >>>Which package are you using? JNilo's doesn't contain any > >>>/etc/dnscache.conf; rather, it looks like Erich's table (below). > >>> > > > > Is it the stock Dachstein RC2 dnscache? > > > > > >>>I remain convinced that something is not configured properly with > >>>dnscache and/or it is *not* actually running . . . > >>> > >>> > >>This is my guess since nslookup from the win2k box times out. > >> > > > > Since this is dachstein (with netstat included), what does > > > > netstat -an | grep 53 > > > > say? You should see (at least) a match for udp port 53 on > > 192.168.1.254 like this: > > > > udp 0 0 192.168.1.254:53 0.0.0.0:* > > > > If not, what does > > > > ps | grep [d]nscache > > > > say? There should be a match for /usr/bin/dnscache , probably > > running as the user "dnscache". On my Dachstein-CD box, the > > process is: > > > > 1002 dnscache S /usr/bin/dnscache > > > > If dnscache is running and bound to 192.168.1.254:53, you might > > try setting "nameserver 192.168.1.254" in /etc/resolv.conf on > > the firewall and verify that name resolution on the firewall > > still works. (Try pinging an internet host by name.) If it > > doesn't, either dnscache is not setup correctly or maybe > > something is blocking name requests to the root servers upstream, > > although that seems unlikely. I'd also recommend using a newer > > version of Dachstein if you don't have a reason for using the > > pre-release. > > > > --Brad > > > > [1] http://leaf.sourceforge.net/devel/cstein/files/diskimages/dachstein/changes.txt ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
