On Fri, May 29, 2015, at 08:26 AM, Tom Eastep wrote:
> Depending on which DNS server you are using, there is another way to
> solve this that doesn't involve Shorewall at all. In bind9, you can
> specify the *transfer-source* option which causes the given address to
> be used as the source during zone transfers.
I use bind 9.10.2 on both ends. 'transfer-source' had, in fact, already been
set correctly. It's apparently not sufficient; that doesn't get the correct
src/dst address all the way through.
Since these two servers function a primary/secondary DNS server pair, xfr
requests & notifies can occur bidirectionally.
With a bit more verbose logging, I've found that to get rid of the use of
EITHER vpn endpoints in either SRC= or DST= addresses, so that the respective
DNS servers 'see' the _actual_ client address, I need /masq on both ends.
I.e., this works:
local
SHOREWALL/rules
DNAT $FW:10.0.2.53 vpn1:10.0.1.53 udp 53
ACCEPT vpn1:10.0.1.53 $FW:10.0.2.53 tcp 53
SHOREWALL/masq
VPN_IF:10.0.1.53 10.254.254.2 10.0.2.53 tcp,udp 53
remote
SHOREWALL/rules
DNAT $FW:10.0.1.53 vpn1:10.0.2.53 udp 53
ACCEPT vpn1:10.0.2.53 $FW:10.0.1.53 tcp 53
SHOREWALL/masq
VPN_IF:10.0.2.53 10.254.254.1 10.0.1.53 tcp,udp 53
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
