Re: PF, DNS, and internal network

Craig Skinner Sat, 03 Jun 2006 00:14:06 -0700

On Fri, Jun 02, 2006 at 02:39:23PM -0700, Allen Theobald wrote:
> Greetings everyone!
> 
>    
>   This question has to do with PF and DNS from my internal network to my ISP.
> 
> Here is what I have done:
> 
> Set /etc/sysctl.conf
> 
>    net.inet.ip.forwarding=1
> 
> Set /etc/rc.conf
> 
>    pf=YES
> 
> Used the pf.conf file from the FAQ 
> (http://www.openbsd.org/faq/pf/example1.html).  Except my "internal" is xl0 
> and my external is rl0.  rl0 gets its IP dynamically.
> 
> My network looks exactly like the one in the FAQ 
> (http://www.openbsd.org/faq/pf/example1.html).
> 
> I can ping www.google.com from the firewall.
> 
> But I cannot ping www.google.com from any computers on the internal network.
> 
> First, does the pf.conf in the FAQ route DNS requests from the internal 
> network?
> 
> Second, if not would someone suggest a rule to accomplish that, so that DNS 
> can be handled by my ISP?
>    
>   I've tried a couple of rdr/pass combinations.  But no luck.
>    
>   Hell, I'm not even sure any rdr/pass combinations are required....doesn't 
> seem like it.
> 
>


The best thing to do is to setup a caching DNS server on your gateway,
and have your LAN clients query that:

On your gateway:

/etc/resolv.conf:
lookup file bind
nameserver 127.0.0.1
nameserver your.isps.dns2.ip
nameserver your.isps.dns3.ip

/etc/rc.conf.local:
named_flags=""

/etc/pf.conf:
ext_if="rl0"
int_if="rl1"
lan_net="192.168.0.0/24"

pass out on $ext_if inet proto {udp tcp} from ($ext_if) port > 1023 \
        to any port domain user named modulate state
pass in on $int_if inet proto udp from $lan_net port > 1023 \
        to $int_if port domain user named keep state

# cd /var/named/etc
cp -p named-simple.conf named.conf

change these lines:

options {
        version "";     // remove this to allow version queries
        listen-on    { any; };
        listen-on-v6 { any; };
        allow-recursion { clients; };
};


to:

options {
        version "";     // remove this to allow version queries
        listen-on    { 127.0.0.1; your.lan.ip; };
        minimal-responses yes;
        allow-recursion { clients; };
        notify no;
        allow-transfer { none; };
};


// Master zones
zone "adimages.go.com" { type master; file "master/dummy-block.internal"; };
zone "admonitor.net" { type master; file "master/dummy-block.internal"; };
zone "ads.specificpop.com" { type master; file "master/dummy-block.internal"; };
zone "ads.web.aol.com" { type master; file "master/dummy-block.internal"; };
zone "ads.x10.com" { type master; file "master/dummy-block.internal"; };
zone "advertising.com" { type master; file "master/dummy-block.internal"; };
zone "amazingmedia.com" { type master; file "master/dummy-block.internal"; };
zone "clickagents.com" { type master; file "master/dummy-block.internal"; };
zone "commission-junction.com" { type master; file "master/dummy-block"; };
zone "doubleclick.net" { type master; file "master/dummy-block.internal"; };
zone "go2net.com" { type master; file "master/dummy-block.internal"; };
zone "infospace.com" { type master; file "master/dummy-block.internal"; };
zone "kcookie.netscape.com" { type master; file "master/dummy-block.internal"; 
};
zone "linksynergy.com" { type master; file "master/dummy-block.internal"; };
zone "msads.net" { type master; file "master/dummy-block.internal"; };
zone "qksrv.net" { type master; file "master/dummy-block.internal"; };
zone "yimg.com" { type master; file "master/dummy-block.internal"; };
zone "zedo.com" { type master; file "master/dummy-block.internal"; };
zone "adtech.de" { type master; file "master/dummy-block.internal"; };
zone "img.mediaplex.com" { type master; file "master/dummy-block.internal"; };
zone "msn.com" { type master; file "master/dummy-block.internal"; };
zone "kazaa.com" { type master; file "master/dummy-block.internal"; };
zone "messenger.hotmail.com" { type master; file "master/dummy-block.internal"; 
};
zone "msg.yahoo.com" { type master; file "master/dummy-block.internal"; };
zone "login.oscar.aol.com" { type master; file "master/dummy-block.internal"; };
zone "aimexpress.aol.com" { type master; file "master/dummy-block.internal"; };
zone "ru4.com" { type master; file "master/dummy-block.internal"; };
zone "poindextersystems.com" { type master; file "master/dummy-block.internal"; 
};

# cat master/dummy-block.internal
; Zone file for dummy-block
; http://www.deer-run.com/~hal/sysadmin/dns-advert.html
; http://www.holland-consulting.net/tech/imblock.html

$TTL 7D                         ; client caching [RFC 2308]

@       SOA (
        your.servers.hostname.  ; master name server
        your.dotted.email.      ; zone maintainer's email [RFC 2142]
        2006042200              ; serial, todays date + todays serial #
        1D                      ; refresh
        2H                      ; retry
        5W                      ; expire
        2D )                    ; client negative caching [RFC 2308]

        A       127.0.0.1

        NS      your.servers.hostname.

*       A       127.0.0.1




reload your pf rules:
# pfctl -nf /etc/pf.conf
# pfctl -f /etc/pf.conf
start named:
# named




On your LAN clients:

/etc/resolv.conf:
lookup file bind
nameserver your.gateway.LAN.ip



-- 
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]

Re: PF, DNS, and internal network

Reply via email to