On 10/27/2017 05:44 PM, Rommel Rodriguez Toirac wrote:
> Hello all;
> here I send some configs and traces of my shorewall firewall.
> I have been made some workaround, so maybe this is a little diferent to
> the one that I send in the shorewall-dump.tar.gz; but still the problem
> is present.
> This are the situation.
> Our networks are private.
> (municipals network use provinces network services)
> Some network that are outside of my office network use some service in
> these; for example, my smtp service is used like pasarell for the email
> service in this offices, they use mailboxes accessed with pop3 service,
> they use the FTP server an use the jabber service that we serve.
> (municipals offices have his own DNS and Domain)
> Our municipals offices have his own DNS services and his Domain,
> managent with the Windows 2008 Active Directory, so the resolution of
> his PCs name and IP numbers are locally for they.
> (IP address and PC names unknow)
> In the municipal offices, the DNS service have a Forwarder configured,
> for all PCs names or IP number unknow for they, to be send to my bind
> server. The Forwarder IP number is the IP of the net (or internet)
> interfaces in my shorewall config [172.16.120.1] This is with the
> intention of configure all services in municipals netowrks using DNS
> names and not IP numbers. For example, to access to my FTP server, use
> ftp.gtm.onat.gob.cu and not a number.
> (bind with views in my DMZ)
> In the DMZ (provincial network) I have configured a DNS service with
> bind using views listtening to the request of the municipals networks.
>
> When I point to ftp.gtm.onat.gob.cu from some PC in municipal network,
> nothing happen, neather shorewall log the event. When I point to
> 172.16.120.1 the connection is stablished with no problems. Nothing that
> I try to access with PC or alias names of my network is success,
> everything must be done with IP address.
> Nevertheless, I made a test with nslookup from a PC in a municipal
> network and this is the answer:
>
> ###nslookup from gtm08
> C:\Users\Administrador>nslookup
> Servidor predeterminado: gtm08.cai.gtm.onat.gob.cu
> Address: 172.16.123.11
>
>> gtmem
> Servidor: gtm08.cai.gtm.onat.gob.cu
> Address: 172.16.123.11
>
> Respuesta no autoritativa:
> Nombre: gtmem.gtm.onat.gob.cu
> Address: 192.168.14.4
>
>> mail.gtm.onat.gob.cu
> Servidor: gtm08.cai.gtm.onat.gob.cu
> Address: 172.16.123.11
>
> Respuesta no autoritativa:
> Nombre: gtmem.gtm.onat.gob.cu
> Address: 192.168.14.4
> Aliases: mail.gtm.onat.gob.cu
>
>
> What I made wrong? Where is my mistake? Shorewall or bind or Windows
> 2008 DNS config? Why is impossible to uses PC names or alias in services
> access from outside my network?
Your DNS server is returning *private* (RFC1918) addresses to systems in
the Municipal Network. To those systems, it must return the public IP
address of your firewall. This is addressed by using split DNS -- let
your DMZ server handle local clients and let your DMZ server handle
external clients.
-Tom
--
Tom Eastep
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
