>>>>> "ED" == Ed Doolittle <[EMAIL PROTECTED]> writes:
ED> Yes, perfect sense, and you're getting warmer. Port 53 is
ED> "udp.domain" to diald. With the "ignore" rule we discussed earlier,
ED> diald detects and ignores named to named traffic. This can only work
ED> if named always uses port 53 to send, which is only true if that
ED> "query-source address" line is added to named.conf.
ED> Keep the "query-source address" line in named.conf, and we'll next
ED> try to figure out whether diald is still not behaving properly.
ED> Experiment a little and let us know what isn't working right.
OK. Here is what I've found:
1) Modify named.conf to contain the "query-source address" line. Execute
'ndc restart' and diald gets triggered. This only happens the first
time. Subsequent attempts at 'ndc restart' do NOT trigger diald. Maybe
somehow it 'knows' that its named.conf file was modified and it does
something different which causes diald to trigger?
2) With the link established, DNS name resolution works correctly.
3) I manually dropped the link with a 'kill -s SIGINT'. Once dropped, I
cannot get diald to retrigger via a name resolution -- even if it's not
something already in its cache.
4) I tried an nslookup of something not in the cache and I got the following:
*** firewall.jnchome.com can't find www.apple.com: Non-existent host/domain
It seems like named is refusing to contact anyone after I made the change for
"query-source address".
================================================================
Below is my complete named.conf file:
logging {
category statistics { null; };
};
options {
forward only;
forwarders {
207.198.253.36;
207.198.222.7;
};
query-source address * port 53;
directory "/var/named";
};
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
};
zone "jnchome.com" {
notify no;
type master;
file "named.jnchome.com";
};
zone "0.168.192.in-addr.arpa" {
notify no;
type master;
file "named.0.168.192";
};
================================================================
Below is my complete standard.filter file. I've removed all comments in
order to reduce the size of the post.
ignore tcp tcp.dest=tcp.domain
ignore tcp tcp.source=tcp.domain
accept tcp 5 ip.tot_len=40,tcp.syn
ignore tcp ip.tot_len=40,tcp.live
accept tcp 120 tcp.dest=tcp.www
accept tcp 120 tcp.source=tcp.www
keepup tcp 120 tcp.dest=tcp.ssl
keepup tcp 120 tcp.source=tcp.ssl
keepup tcp 5 !tcp.live
ignore tcp !tcp.live
accept tcp 120 tcp.dest=tcp.ftp
accept tcp 120 tcp.source=tcp.ftp
accept tcp 600 any
ignore udp udp.dest=udp.who
ignore udp udp.source=udp.who
ignore udp udp.dest=udp.route
ignore udp udp.source=udp.route
ignore udp udp.dest=udp.ntp
ignore udp udp.source=udp.ntp
ignore udp udp.dest=udp.timed
ignore udp udp.source=udp.timed
ignore udp udp.dest=udp.domain,udp.source=udp.domain
accept udp 30 udp.dest=udp.domain
accept udp 30 udp.source=udp.domain
ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns
accept udp 30 udp.dest=udp.netbios-ns
accept udp 30 udp.source=udp.netbios-ns
ignore udp tcp.dest=udp.route
ignore udp tcp.source=udp.route
accept udp 120 any
accept any 30 any
================================================================
Are you able to figure this out?
TIA!
--
Jake Colman
Principia Partners LLC Phone: (201) 946-0300
Harborside Financial Center Fax: (201) 946-0320
902 Plaza II Beeper: (800) 928-4640
Jersey City, NJ 07311 E-mail: [EMAIL PROTECTED]
E-mail: [EMAIL PROTECTED]
web: http://www.ppllc.com
microsoft: "where do you want to go today?"
linux: "where do you want to go tomorrow?"
BSD: "are you guys coming, or what?"
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
