Re: [Shorewall-users] Problem accesing from outside

[Rommel Rodriguez Toirac]

El oct. 26, 2017 7:10 PM, Bill Shirley <b...@ultrapoly.polymerindustries.biz> escribió:

You don't have any name servers for gob.cu:
; <<>> DiG 9.10.3-P4-RedHat-9.10.3-9.P4.fc22 <<>> gob.cu ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1071
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gob.cu.                IN    NS

;; AUTHORITY SECTION:
cu.            3600    IN    SOA    ns.ceniai.net.cu. cu-tech.ceniai.inf.cu. 2017102605 3600 1800 1209600 3600

;; Query time: 154 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Oct 26 19:56:46 EDT 2017
;; MSG SIZE  rcvd: 104

This above query should answer with the name server like the one below:
; <<>> DiG 9.10.3-P4-RedHat-9.10.3-9.P4.fc22 <<>> example.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57752
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.            IN    NS

;; ANSWER SECTION:
example.com.        86400    IN    NS b.iana-servers.net.
example.com.        86400    IN    NS a.iana-servers.net.

;; ADDITIONAL SECTION:
a.iana-servers.net.    109216    IN    A    199.43.135.53
b.iana-servers.net.    109216    IN    A    199.43.133.53
a.iana-servers.net.    109216    IN    AAAA 2001:500:8f::53
b.iana-servers.net.    109216    IN    AAAA 2001:500:8d::53

;; Query time: 43 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Oct 26 20:04:54 EDT 2017
;; MSG SIZE  rcvd: 176
See the ANSWER SECTION.

Your DNS is not set up.

Hope this helps,
Bill

On 10/:03 PM, Rommel Rodriguez Toirac wrote:
>  Hello all;
> I finally test the config of my firewall using it like a DMZ but have some problems.
>  For example, in the DMZ I have a DNS server, the access to it is allowed from the internal netwok or loc zone and from
> outside or net zone; in the DMZ also is the FTP, jabber, web and email servers. Happen that from outside or net zone I can not
> access to any of this servers using the name, IP or alias of the server.
>  In my municipal networks, in the DNS servers, I add and server forwarder, this was the IP of my external interfaces. This is
> for all requests that can not be found in his network, send to me.
>   From a municipal network when I try to access to the email server of my network poiting to the alias (mail.gtm.gob.cu) never
> connect. This happend with all request made to a name, or alias. If I use the IP addres of the server everything work fine.
>  I know, these is problem of DNS, but I configure the DNS to allow acces from the outside network and from inside network
> using views.
>  Attached I send the shorewall dump.
>  I try to be sure that is not problem of shorewall that deny the access to the DMZ zone where are the DNS server and all other
> servers.
>  Thank for the attention and forgive my bad English.
>
>

Our network is separated in three (3): national level, provincial level and municipal level. All of they are considered as privated network and domain.  For example my network is administrated here for me, and the networks of my municipals are administrated in his own places. That why you don't have answers.

  My problems is that my network provide services to our municipals networks and they acces to this services just for IP address, if I configure to access by name, is imposible.

 I don't know if now is a little more clear.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users