setting up an internal TLD

Mike Taylor miketaylor at operamail.com
Thu Oct 19 00:56:41 PDT 2006 

Hi everyone,


Thanks for all of the responses.  I got it working.  It looks like it
was a problem with pf.

The way I have the firewall setup is:

cable model <---> dc0 (firewall box) fxp0 <---> local network

The TLD is '.dot' and the domain is 'localnet.dot'.  Dc0 gets its IP
address, gateway, etc thru DHCP from the cable modem.  Fxp0 has the
hostname 'homebox' and a fixed IP and runs dhcpd so computers behind
it can connect to the internet.

The first thing I fixed was a typo in the dhclient.conf.  I had it
giving the same name to the dc0 interface that's assigned to fxp0 in
the hosts file and DNS.  I don't think that was the problem.

The next thing I fixed was using FQDN's in the named files.  I also
changed the address for 'homebox.localnet.dot.' from 1 to 10 in the
'10.10.10' file.  It was always 10, I just cut and pasted it in wrong
in my first email.  Maybe using FQDN's helped fix it.

Then I turned off pf.  And everything worked.  I turned off all packet
filtering, but left NAT on.  I think the problem was I commented out
the line that says "set skip on lo" but had the line "antispoof quick
for { lo $int_if }" uncommented.

Below are all of the files in their entirety.  Except for some of the
named files, they're the original files installed with 3.9 with a
couple of lines added, or edited.

The firewall now does it's own DNS for everything and computers
behind the firewall can get out to the internet.  Let me know if you
think I should change anything, or if I typed anything in wrong.

Thanks for all of your help.



Mike






; <<>> DiG 9.3.1 <<>> @homebox www.yahoo.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3789
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 9, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com.                 IN      A

;; ANSWER SECTION:
www.yahoo.com.          60      IN      CNAME   www.yahoo-ht2.akadns.net.
www.yahoo-ht2.akadns.net. 60    IN      A       209.73.186.238

;; AUTHORITY SECTION:
akadns.net.             172800  IN      NS      zd.akadns.org.
akadns.net.             172800  IN      NS      eur4.akadns.net.
akadns.net.             172800  IN      NS      eur8.akadns.net.
akadns.net.             172800  IN      NS      usw5.akadns.net.
akadns.net.             172800  IN      NS      asia4.akadns.net.
akadns.net.             172800  IN      NS      asia9.akadns.net.
akadns.net.             172800  IN      NS      za.akadns.org.
akadns.net.             172800  IN      NS      zb.akadns.org.
akadns.net.             172800  IN      NS      zc.akadns.org.

;; Query time: 560 msec
;; SERVER: 10.10.10.10#53(10.10.10.10)
;; WHEN: Thu Oct 19 02:37:30 2006
;; MSG SIZE  rcvd: 260



WOO-HOO!!! :)




/etc/dhclient.conf
------------------
# $OpenBSD: dhclient.conf,v 1.1 1998/09/08 20:26:41 marc Exp $
#
# DHCP Client Configuration
#
# See dhclient.conf(5) for possible contents of this file.
# When empty default values are used:
#
# Example:
#
# send dhcp-lease-time 3600;
# send host-name "myhost";
# supersede host-name "myhost";
# supersede domain-name "my.domain";
# request subnet-mask, broadcast-address, time-offset, routers,
#       domain-name, domain-name-servers, host-name, lpr-servers, ntp-servers;
# require subnet-mask, domain-name-servers, routers;
# media "link0 link1", "link0 link1", "link0 link1", "-link0 link1";
initial-interval 1;
request subnet-mask, broadcast-address, routers, domain-name,
        domain-name-servers, host-name;

supersede host-name "front";
supersede domain-name "localnet.dot";
supersede domain-name-servers 127.0.0.1;





/etc/hostname.dc0
-----------------
dhcp NONE NONE NONE




/etc/hostname.fxp0
------------------
inet 10.10.10.10 255.255.255.0 NONE




/etc/hosts
----------
#       $OpenBSD: hosts,v 1.11 2002/09/26 23:35:51 krw Exp $
#
# Host Database
#
# RFC 1918 specifies that these networks are "internal".
# 10.0.0.0      10.255.255.255
# 172.16.0.0    172.31.255.255
# 192.168.0.0   192.168.255.255
#
::1 localhost.localnet.dot localhost
127.0.0.1 localhost.localnet.dot localhost
10.10.10.10 homebox.localnet.dot homebox





/etc/myname
-----------
homebox.localnet.net




/etc/pf.conf
--------------
#       $OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="dc0"
int_if="fxp0"

#table <spamd> persist
#table <spamd-white> persist

set skip on lo

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
#       -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
#       -> 127.0.0.1 port spamd

anchor "ftp-proxy/*"
block in
pass out keep state

pass quick on $int_if
antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state






/etc/resolv.conf
----------------
search localnet.dot
nameserver 127.0.0.1
lookup file bind





/var/named/etc/named.conf
-------------------------
// $OpenBSD: named-simple.conf,v 1.6 2004/08/16 15:48:28 jakob Exp $
//
// Example file for a simple named configuration, processing both
// recursive and authoritative queries using one cache.


// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
        localnets;
        ::1;
};

options {
        version "";     // remove this to allow version queries

        listen-on    { any; };
        listen-on-v6 { any; };

        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
};

// Standard zones
//
zone "." {
        type hint;
        file "standard/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};

zone "com" {
        type delegation-only;
};

zone "net" {
        type delegation-only;
};


// Master zones
//
//zone "myzone.net" {
//      type master;
//      file "master/myzone.net";
//};

// Slave zones
//
//zone "otherzone.net" {
//      type slave;
//      file "slave/otherzone.net";
//      masters { 192.0.2.1; [...;] };
//};



zone "localnet.dot" {
        type master;
        file "master/localnet.dot";
};

zone "10.10.10.IN-ADDR.ARPA" {
        type master;
        file "master/10.10.10";
        allow-transfer { localhost; };
};







/var/named/master/10.10.10
----------------------------------
$TTL 86400
@       SOA     homebox.localnet.dot. root.homebox.localnet.dot. ( 2 10800 3600 604800 600 )
        NS      homebox.localnet.dot.

10      IN              PTR     homebox.localnet.dot.





/var/named/master/localnet.dot
----------------------------------------
$TTL 86400
@       SOA     homebox.localnet.dot. root.homebox.localnet.dot. ( 2 10800 3600 604800 600 )
        NS      homebox.localnet.dot.

localhost               A       127.0.0.1
homebox                 A       10.10.10.10
                        MX      10 homebox




-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

More information about the Openbsd-newbies mailing list