Bind проблема

Простые/общие вопросы по UNIX системам. Спросите здесь, если вы новичок

Модераторы: vadim64, terminus

Правила форума
Убедительная просьба юзать теги [cоde] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
kuhar2007
сержант
Сообщения: 243
Зарегистрирован: 2008-12-22 14:40:35

Bind проблема

Непрочитанное сообщение kuhar2007 » 2012-05-24 15:36:13

Всем привет.

Возникла проблема с биндом, настроил зону, эроров нет, проверяю с сервера:

Код: Выделить всё

dig vkuhar.org.ua @159.224.190.237

; <<>> DiG 9.8.2 <<>> vkuhar.org.ua @159.224.190.237
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56918
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;vkuhar.org.ua.                 IN      A

;; ANSWER SECTION:
vkuhar.org.ua.          3600    IN      A       159.224.190.237

;; AUTHORITY SECTION:
vkuhar.org.ua.          3600    IN      NS      ns1.vkuhar.org.ua.
vkuhar.org.ua.          3600    IN      NS      ns.secondary.net.ua.
vkuhar.org.ua.          3600    IN      NS      ns2.vkuhar.org.ua.

;; ADDITIONAL SECTION:
ns.secondary.net.ua.    82035   IN      A       195.149.112.1
ns.secondary.net.ua.    82035   IN      AAAA    2001:7f8:55:7::350
ns1.vkuhar.org.ua.      3600    IN      A       159.224.190.237
ns2.vkuhar.org.ua.      3600    IN      A       159.224.190.237

;; Query time: 2 msec
;; SERVER: 159.224.190.237#53(159.224.190.237)
;; WHEN: Thu May 24 15:31:16 2012
;; MSG SIZE  rcvd: 190
Как бы записи отдаются, а если с мира, то по таймауту отпадает. При проверки отрытости 53-ого порта нмапом, пишет что открыт.
У меня есть подозрение на фаервол, может что-то нужно добавить в правило, сейчас в нем следующие правила:

Код: Выделить всё

 ipfw show
00050     7505     1910246 allow tcp from any to me dst-port 23,22,21,20,8088,25,995,5100,5101,10000,143,53,953
00051     5818     1162017 allow tcp from me 23,22,21,20,8088,25,995,5100,5101,10000,143,53,953 to any
00060        0           0 allow tcp from any to me dst-port 28560-28570
00100       37        2224 deny tcp from any to any dst-port 445
00110   280106   493295774 allow ip from any to any via lo0
00120     4454     2819092 skipto 1000 ip from me to any
00130      567       31752 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140        0           0 deny ip from any to table(120)
00150        0           0 deny ip from table(120) to any
00160  1631877   101219743 skipto 2000 ip from any to me
00200 39902300 29030787237 skipto 500 ip from any to any via re1
00300 17283468  2317685250 skipto 4500 ip from any to any in
00400 21418953 25201351800 skipto 450 ip from any to any recv re1
00420      183       14062 divert 1 ip from any to any
00450 21419029 25201366345 divert 2 ip from any to any
00490 21402313 25193341991 allow ip from any to any
00500 22717611 26726835336 skipto 32500 ip from any to any in
00510 17184984  2304040346 divert 1 ip from any to any
00540 17185025  2304039988 allow ip from any to any
00701        0           0 allow tcp from any to any dst-port 5100
00701        0           0 allow tcp from any to any dst-port 5101
01000        0           0 allow udp from any 53,7723 to any
01010      114       31267 allow tcp from any to any setup keep-state
01020      749      112585 allow udp from any to any keep-state
01100     4005     2786995 allow ip from any to any
02000        0           0 check-state
02010     2197      199353 allow icmp from any to any
02020     4219      524067 allow tcp from any to any dst-port 80,443
02050  1621527   100138611 deny ip from any to any via re1
02060        0           0 allow udp from any to any dst-port 53,7723
02100     3520      245957 deny ip from any to any
05000    83369     8553283 deny ip from not table(0) to any
05001        0           0 skipto 5010 ip from table(127) to table(126)
05002 17199685  2309084236 skipto 5030 ip from any to not table(2)
05003       12        1602 deny ip from any to not table(1)
05004       42        3438 pipe tablearg ip from table(21) to any
05005        0           0 deny ip from any to any
05010        0           0 pipe tablearg ip from table(127) to any
05030        0           0 deny tcp from table(15) to any dst-port 0
05400 17199685  2309084236 pipe tablearg ip from table(11) to any
32000        0           0 deny ip from any to any
32490        6         362 deny ip from any to any
33000        0           0 pipe tablearg ip from table(126) to table(127)
33001 22717332 26726803147 skipto 33010 ip from not table(2) to any
33002        0           0 pipe tablearg ip from any to table(20)
33003        0           0 deny ip from any to any
33400 22715048 26726425640 pipe tablearg ip from any to table(10)
65535     2303      378675 allow ip from any to any
Помогите плизз разобраться.

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
schizoid
подполковник
Сообщения: 3228
Зарегистрирован: 2007-03-03 17:32:31
Откуда: Украина, Чернигов
Контактная информация:

Re: Bind проблема

Непрочитанное сообщение schizoid » 2012-05-24 16:25:06

а с выключенным фаерволом работает?
ядерный взрыв...смертельно красиво...жаль, что не вечно...

Аватара пользователя
Shuba
ст. сержант
Сообщения: 365
Зарегистрирован: 2008-03-25 10:58:21
Откуда: Минск
Контактная информация:

Re: Bind проблема

Непрочитанное сообщение Shuba » 2012-05-24 17:08:37

Код: Выделить всё

cat /etc/namedb/named.conf
Сила ночи, сила дня - одинакова фигня!

kuhar2007
сержант
Сообщения: 243
Зарегистрирован: 2008-12-22 14:40:35

Re: Bind проблема

Непрочитанное сообщение kuhar2007 » 2012-05-25 8:30:38

Shuba писал(а):

Код: Выделить всё

cat /etc/namedb/named.conf

Код: Выделить всё

 cat /etc/namedb/named.conf
// $FreeBSD: release/9.0.0/etc/namedb/named.conf 224125 2011-07-17 06:20:47Z dougb $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

options {
	// All file and path names are relative to the chroot directory,
	// if any, and should be fully qualified.
	directory	"/etc/namedb/working";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
	listen-on	{ 127.0.0.1; 159.224.190.237; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//	listen-on-v6	{ ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
	disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
	disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
	disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
	forwarders {
		127.0.0.1;
	};
*/

// If the 'forwarders' clause is not empty the default is to 'forward first'
// which will fall back to sending a query from your local server if the name
// servers in 'forwarders' do not have the answer.  Alternatively you can
// force your name server to never initiate queries of its own by enabling the
// following line:
//	forward only;

// If you wish to have forwarding configured automatically based on
// the entries in /etc/resolv.conf, uncomment the following line and
// set named_auto_forward=yes in /etc/rc.conf.  You can also enable
// named_auto_forward_only (the effect of which is described above).
//	include "/etc/namedb/auto_forward.conf";

	/*
	   Modern versions of BIND use a random UDP port for each outgoing
	   query by default in order to dramatically reduce the possibility
	   of cache poisoning.  All users are strongly encouraged to utilize
	   this feature, and to configure their firewalls to accommodate it.

	   AS A LAST RESORT in order to get around a restrictive firewall
	   policy you can try enabling the option below.  Use of this option
	   will significantly reduce your ability to withstand cache poisoning
	   attacks, and should be avoided if at all possible.

	   Replace NNNNN in the example with a number between 49160 and 65530.
	*/
	// query-source address * port NNNNN;
};

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

// The traditional root hints mechanism. Use this, OR the slave zones below.
zone "." { type hint; file "/etc/namedb/named.root"; };

/*	Slaving the following zones from the root name servers has some
	significant advantages:
	1. Faster local resolution for your users
	2. No spurious traffic will be sent from your network to the roots
	3. Greater resilience to any potential root server failure/DDoS

	On the other hand, this method requires more monitoring than the
	hints file to be sure that an unexpected failure mode has not
	incapacitated your server.  Name servers that are serving a lot
	of clients will benefit more from this approach than individual
	hosts.  Use with caution.

	To use this mechanism, uncomment the entries below, and comment
	the hint zone above.

	As documented at http://dns.icann.org/services/axfr/ these zones:
	"." (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
	are availble for AXFR from these servers on IPv4 and IPv6:
	xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone "." {
	type slave;
	file "/etc/namedb/slave/root.slave";
	masters {
		192.5.5.241;	// F.ROOT-SERVERS.NET.
	};
	notify no;
};
zone "arpa" {
	type slave;
	file "/etc/namedb/slave/arpa.slave";
	masters {
		192.5.5.241;	// F.ROOT-SERVERS.NET.
	};
	notify no;
};
*/

/*	Serving the following zones locally will prevent any queries
	for these zones leaving your network and going to the root
	name servers.  This has two significant advantages:
	1. Faster local resolution for your users
	2. No spurious traffic will be sent from your network to the roots
*/
// RFCs 1912, 5735 and 6303 (and BCP 32 for localhost)
zone "localhost"	{ type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa"	{ type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// RFC 1912-style zone for IPv6 localhost address (RFC 6303)
zone "0.ip6.arpa"	{ type master; file "/etc/namedb/master/localhost-reverse.db"; };

// "This" Network (RFCs 1912, 5735 and 6303)
zone "0.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// Private Use Networks (RFCs 1918, 5735 and 6303)
zone "10.in-addr.arpa"	   { type master; file "/etc/namedb/master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// Link-local/APIPA (RFCs 3927, 5735 and 6303)
zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// IETF protocol assignments (RFCs 5735 and 5736)
zone "0.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// TEST-NET-[1-3] for Documentation (RFCs 5735, 5737 and 6303)
zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "100.51.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "113.0.203.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Example Range for Documentation (RFCs 3849 and 6303)
zone "8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// Domain Names for Documentation and Testing (BCP 32)
zone "test" { type master; file "/etc/namedb/master/empty.db"; };
zone "example" { type master; file "/etc/namedb/master/empty.db"; };
zone "invalid" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.com" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.net" { type master; file "/etc/namedb/master/empty.db"; };
zone "example.org" { type master; file "/etc/namedb/master/empty.db"; };

// Router Benchmark Testing (RFCs 2544 and 5735)
zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };

// IANA Reserved - Old Class E Space (RFC 5735)
zone "240.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "241.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "242.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "243.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "244.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "245.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "246.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "247.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "248.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "249.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "250.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "251.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "252.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "253.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "254.in-addr.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "3.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "4.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "5.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "6.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "7.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "8.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "9.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "a.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "b.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "c.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "d.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "e.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "0.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "1.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "2.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "3.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "4.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "5.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "6.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "7.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "8.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "9.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "a.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "b.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "0.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "1.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "2.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "3.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "4.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "5.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "6.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "7.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// IPv6 ULA (RFCs 4193 and 6303)
zone "c.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "d.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Link Local (RFCs 4291 and 6303)
zone "8.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "9.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "a.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "b.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// IPv6 Deprecated Site-Local Addresses (RFCs 3879 and 6303)
zone "c.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "d.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "e.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };
zone "f.e.f.ip6.arpa"	{ type master; file "/etc/namedb/master/empty.db"; };

// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int"		{ type master; file "/etc/namedb/master/empty.db"; };

// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries.  It can be convenient to become
// a slave at least for the zone your own domain is in.  Ask
// your network administrator for the IP address of the responsible
// master name server.
//
// Do not forget to include the reverse lookup zone!
// This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
//
// Before starting to set up a master zone, make sure you fully
// understand how DNS and BIND work.  There are sometimes
// non-obvious pitfalls.  Setting up a slave zone is usually simpler.
//
// NB: Don't blindly enable the examples below. :-)  Use actual names
// and addresses instead.

/* An example dynamic zone
key "exampleorgkey" {
	algorithm hmac-md5;
	secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
	type master;
	allow-update {
		key "exampleorgkey";
	};
	file "/etc/namedb/dynamic/example.org";
};
*/

/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
	type slave;
	file "/etc/namedb/slave/1.168.192.in-addr.arpa";
	masters {
		192.168.1.1;
	};
};
*/
zone "ololo.pl.ua" {
type master;
file "/etc/namedb/dynamic/ololo.pl.ua";
};

zone "vkuhar.org.ua" {
type master;
file "/etc/namedb/dynamic/vkuhar.org.ua";
allow-transfer { 193.201.116.2; };
};

Аватара пользователя
Shuba
ст. сержант
Сообщения: 365
Зарегистрирован: 2008-03-25 10:58:21
Откуда: Минск
Контактная информация:

Re: Bind проблема

Непрочитанное сообщение Shuba » 2012-05-25 10:23:00

У тебя в фаере правила на UDP 53 стоит после nat-а, вот походу и не доходят снаружи запросы, nat их раньше получает.
Сила ночи, сила дня - одинакова фигня!

kuhar2007
сержант
Сообщения: 243
Зарегистрирован: 2008-12-22 14:40:35

Re: Bind проблема

Непрочитанное сообщение kuhar2007 » 2012-06-15 12:10:56

Поставил это правило раньше:

Код: Выделить всё

ipfw show
00050     2539      254652 allow tcp from any to me dst-port 23,22,21,20,8088,25,995,5100,5101,10000,143,53,953
00051     2027      519339 allow tcp from me 23,22,21,20,8088,25,995,5100,5101,10000,143,53,953 to any
00060        0           0 allow tcp from any to me dst-port 28560-28570
00070    39987     9197360 allow udp from any 53,7723 to any
00100        0           0 deny tcp from any to any dst-port 445
00110   199706   152851014 allow ip from any to any via lo0
00120    35306     2770291 skipto 1000 ip from me to any
00130      156        8736 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140        0           0 deny ip from any to table(120)
00150        0           0 deny ip from table(120) to any
00160   351043    23196975 skipto 2000 ip from any to me
00200 28897911 23851270817 skipto 500 ip from any to any via re1
00300 14713785 12772477192 skipto 4500 ip from any to any in
00400 13951702 10705796848 skipto 450 ip from any to any recv re1
00420      635       47536 divert 1 ip from any to any
00450 13951709 10705805621 divert 2 ip from any to any
00490 13949152 10704879120 allow ip from any to any
00500 14235204 11086698036 skipto 32500 ip from any to any in
00510 14662860 12764623224 divert 1 ip from any to any
00540 14649217 12764252487 allow ip from any to any
00701        0           0 allow tcp from any to any dst-port 5100
00701        0           0 allow tcp from any to any dst-port 5101
01010       10        1067 allow tcp from any to any setup keep-state
01020      403       26416 allow udp from any to any keep-state
01100    34915     2744581 allow ip from any to any
02000        0           0 check-state
02010     8483      716480 allow icmp from any to any
02020      373       39850 allow tcp from any to any dst-port 80,443
02050   339940    22324786 deny ip from any to any via re1
02060        0           0 allow udp from any to any dst-port 53,7723
02100     2226      114086 deny ip from any to any
05000    18877     3894242 deny ip from not table(0) to any
05001        0           0 skipto 5010 ip from table(127) to table(126)
05002 14691474 12768364003 skipto 5030 ip from any to not table(2)
05003        0           0 deny ip from any to not table(1)
05004        0           0 pipe tablearg ip from table(21) to any
05005        0           0 deny ip from any to any
05010        0           0 pipe tablearg ip from table(127) to any
05030        0           0 deny tcp from table(15) to any dst-port 0
05400 14691474 12768364003 pipe tablearg ip from table(11) to any
32000        0           0 deny ip from any to any
32490       10         780 deny ip from any to any
33000        0           0 pipe tablearg ip from table(126) to table(127)
33001 14235200 11086697464 skipto 33010 ip from not table(2) to any
33002        0           0 pipe tablearg ip from any to table(20)
33003        0           0 deny ip from any to any
33400 14233504 11086580446 pipe tablearg ip from any to table(10)
65535     1710      118348 allow ip from any to any
Но попрежнему 53 по UDP не пускает. Может нужно еще pfnat что-то добавить?
Shuba писал(а):У тебя в фаере правила на UDP 53 стоит после nat-а, вот походу и не доходят снаружи запросы, nat их раньше получает.

Аватара пользователя
Shuba
ст. сержант
Сообщения: 365
Зарегистрирован: 2008-03-25 10:58:21
Откуда: Минск
Контактная информация:

Re: Bind проблема

Непрочитанное сообщение Shuba » 2012-06-16 23:08:05

kuhar2007 писал(а):Поставил это правило раньше:

Код: Выделить всё

ipfw show
00050     2539      254652 allow tcp from any to me dst-port 23,22,21,20,8088,25,995,5100,5101,10000,143,53,953
00051     2027      519339 allow tcp from me 23,22,21,20,8088,25,995,5100,5101,10000,143,53,953 to any
00060        0           0 allow tcp from any to me dst-port 28560-28570
00070    39987     9197360 allow udp from any 53,7723 to any
00100        0           0 deny tcp from any to any dst-port 445
00110   199706   152851014 allow ip from any to any via lo0
00120    35306     2770291 skipto 1000 ip from me to any
00130      156        8736 deny icmp from any to any in icmptypes 5,9,13,14,15,16,17
00140        0           0 deny ip from any to table(120)
00150        0           0 deny ip from table(120) to any
00160   351043    23196975 skipto 2000 ip from any to me
00200 28897911 23851270817 skipto 500 ip from any to any via re1
00300 14713785 12772477192 skipto 4500 ip from any to any in
00400 13951702 10705796848 skipto 450 ip from any to any recv re1
00420      635       47536 divert 1 ip from any to any
00450 13951709 10705805621 divert 2 ip from any to any
00490 13949152 10704879120 allow ip from any to any
00500 14235204 11086698036 skipto 32500 ip from any to any in
00510 14662860 12764623224 divert 1 ip from any to any
00540 14649217 12764252487 allow ip from any to any
00701        0           0 allow tcp from any to any dst-port 5100
00701        0           0 allow tcp from any to any dst-port 5101
01010       10        1067 allow tcp from any to any setup keep-state
01020      403       26416 allow udp from any to any keep-state
01100    34915     2744581 allow ip from any to any
02000        0           0 check-state
02010     8483      716480 allow icmp from any to any
02020      373       39850 allow tcp from any to any dst-port 80,443
02050   339940    22324786 deny ip from any to any via re1
02060        0           0 allow udp from any to any dst-port 53,7723
02100     2226      114086 deny ip from any to any
05000    18877     3894242 deny ip from not table(0) to any
05001        0           0 skipto 5010 ip from table(127) to table(126)
05002 14691474 12768364003 skipto 5030 ip from any to not table(2)
05003        0           0 deny ip from any to not table(1)
05004        0           0 pipe tablearg ip from table(21) to any
05005        0           0 deny ip from any to any
05010        0           0 pipe tablearg ip from table(127) to any
05030        0           0 deny tcp from table(15) to any dst-port 0
05400 14691474 12768364003 pipe tablearg ip from table(11) to any
32000        0           0 deny ip from any to any
32490       10         780 deny ip from any to any
33000        0           0 pipe tablearg ip from table(126) to table(127)
33001 14235200 11086697464 skipto 33010 ip from not table(2) to any
33002        0           0 pipe tablearg ip from any to table(20)
33003        0           0 deny ip from any to any
33400 14233504 11086580446 pipe tablearg ip from any to table(10)
65535     1710      118348 allow ip from any to any
Но попрежнему 53 по UDP не пускает. Может нужно еще pfnat что-то добавить?
Shuba писал(а):У тебя в фаере правила на UDP 53 стоит после nat-а, вот походу и не доходят снаружи запросы, nat их раньше получает.
Ну и где то правило, что пропускает входящие UDP 53 перед nat-ом? Исходящие в 70-ом правиле вижу, а вот входящие только в 2060, что уже после nat-а
Сила ночи, сила дня - одинакова фигня!