PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Nachtrag



jojo17
29.08.02, 21:54
Hallo

Ich hab hab unter Suse Linux 7.3 einen Router am laufen. Die Internet Verbindung steht und der Router kann auch pingen. Sowohl IP als auch Name. Der Client jedoch (win98) kann nur die Internet IP´s pingen.

Desweitern ist auf dem Router der bind8 Name Server.
Ich hab 127.0.0.1 für die resolv.conf stehen.
Die Serachlist ist localhost.

Als Firewall hab ich dann noch die Susefirewall2.
Die Konfig dazu steht weiter unten.


So, wenn ich jetzt nun vom Client aus pinge, dann liefert mir die /var/log/messages unter Linux folgendes:

Aug 29 20:35:34 router named[9284]: denied query from [192.168.10.3].1124 for "WWW.YAHOO.DE" IN

und die /var/log/warn sagt dies dazu:

Aug 29 17:54:27 router kernel: SuSE-FW-UNALLOWED-TARGETIN=ppp0 OUT= MAC= SRC=217.5.115.7 DST=80.137.244.42 LEN=305 TOS=0x00 PREC=0x00 TTL=56 ID=57355 PROTO=UDP SPT=53 DPT=1026 LEN=285
Aug 29 17:54:33 router kernel: SuSE-FW-UNALLOWED-TARGETIN=ppp0 OUT= MAC= SRC=217.5.115.7 DST=80.137.244.42 LEN=305 TOS=0x00 PREC=0x00 TTL=56 ID=53095 PROTO=UDP SPT=53 DPT=1026 LEN=285

was stimmt da nich??


Hier noch die Firewall Config:


FW_DEV_EXT="ppp0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.10.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="53"
FW_SERVICES_EXT_UDP="53"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="1:65535"
FW_SERVICES_INT_UDP="1:65535"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS="192.168.10.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

(müsste so komplett sein)


Danke für eure Antworten.
:(

jojo17
29.08.02, 22:06
Hier ist noch meine named.conf für den DNS Caching Name Server.
Die habe ich leider im obigen Text vergessen sorry.
:rolleyes:


# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany
#
# Author: Frank Bodammer <feedback@suse.de>
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND8.
# It works as a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be
# found in /usr/share/doc/packages/bind8/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind8/html/options.html

options {

# The directory statement defines the name server's
# working directory

directory "/var/named";

# The forwarders record contains a list of servers to
# which queries should be forwarded. Enable this line and
# modify the IP-address to your provider's name server.
# Up to three servers may be listed.

forwarders { 217.5.115.7; 212.185.248.116; 194.25.2.129; };

# Enable the next entry to prefer usage of the name
# server declared in the forwarders section.

forward list;

# The listen-on record contains a list of local network
# interfaces to listen on. Optionally the port can be
# specified. Default is to listen on all interfaces found
# on your system. The default port is 53.

listen-on port 53 { 127.0.0.1; 192.168.10.1; };

# The next statement may be needed if a firewall stands
# between the local server and the internet.

query-source address * port 53;

# The allow-query record contains a list of networks or
# IP-addresses to accept and deny queries from. The
# default is to allow queries from all hosts.

allow-query { 127.0.0.1; 192.168.10.1; };

# The cleaning-interval statement defines the time interval
# in minutes for periodic cleaning. Default is 60 minutes.
# By default, all actions are logged to /var/log/messages.

cleaning-interval 120;

# Name server statistics will be logged to /var/log/messages
# every <statistics-interval> minutes. Default is 60 minutes.
# A value of 0 disables this feature.

statistics-interval 0;

# If notify is set to yes (default), notify messages are
# sent to other name servers when the the zone data is
# changed. Instead of setting a global 'notify' statement
# in the 'options' section, a separate 'notify' can be
# added to each zone definition.

notify no;
};

# The following three zone definitions don't need any modification.
# The first one defines localhost while the second defines the
# reverse lookup for localhost. The last zone "." is the
# definition of the root name servers.

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

zone "." in {
type hint;
file "root.hint";
};

# You can insert further zone records for your own domains below.

rabenkind
30.08.02, 11:45
hi jojo17

zur named.conf

"forward list" , muss "forward first" lauten oder forwad only oder forward no was anderes geht nicht.
--------------------------------------------------
diese zeile ist ganz nützlich, definiert dein heimnetz->

acl internal { 127.0.0.1; 192.168.10.0/24; };

(sollte noch vor options stehen)
--------------------------------------------------
dann kannst du bei allow query folgendes schreiben, sprich alle aus dem heimnetz->

allow-query { internal; };
--------------------------------------------------
zur SuSEFirewall(packetfilter) kenn ich nicht, habe einen eigenen packetfilter
aber da gibts hier genug cracks

greetz rabenkind :))

jojo17
30.08.02, 13:05
Schönen Dank auch hat funkioniert.
:D