[ale] still trying to figure it out

Geoffrey esoteric at 3times25.net
Mon Aug 4 13:09:52 EDT 2003 



David S. Jackson wrote:

> I guess the obvious thing at this time is to start looking at the 
> rules for your firewall.  Are you using a homegrown ruleset?  Are you
> using a commercial firewall/linux distro, like smoothwall or 
> something?

home grown, but I've turned virtually everything off, but masq. Output 
of ipchains -L:

Chain input (policy ACCEPT):
target     prot opt     source                destination          ports
ACCEPT     all  ------  dmz-edu/24           anywhere              n/a
ACCEPT     all  ------  home-edu/24          anywhere              n/a
Chain forward (policy ACCEPT):
target     prot opt     source                destination          ports
MASQ       all  ------  anywhere             anywhere              n/a
Chain output (policy ACCEPT):
target     prot opt     source                destination          ports
ACCEPT     all  ------  anywhere             dmz-edu/24            n/a
ACCEPT     all  ------  anywhere             home-edu/24           n/a

> 
> I think we've ruled out the client being at fault.  Not sure if we
> mentioned it, but you've tried this same experiment on different
> nat'ed hosts with the same results, right?  You've used different
> browser and proxy settings.  (Do you even use a proxy, transparent or
> otherwise?)

Yeah, done that to.  No proxy or anything else.

> 
> You mentioned earlier that you only allow transfers to/from your 
> ISP's nameservers.  If that were a factor, I'd think you'd have 
> trouble resolving other hosts/domains too.  I mean, does the zone get
> transferred when you dig from ns.speedfactory.com (or whatever the
> dns servers are)?  It does, doesn't it?  (I think you showed that
> earlier.)  Could there be any reason why csplans.com doesn't transfer
> a zone to speedfactory.com's nameservers?

yeah it does.  It's wierd because this is the only site that exhibits 
this problem.  I go to tons of sites.  Just this one.

> 
> If nothing else works, I think it might be worth trying commenting
> out certain parts of the rulesets, restarting the firewalling daemon,
> and seeing if that affects the dns query results.  Just to see if
> that gets you any closer to the ballpark.  If you get a complete
> answer to your dns query, at least you have a direction to procede
> in.

I've done that.  Here's another wierd one.  Here's the setup:

internet <-> firewall a <-> dmz <-> firewall b <-> home network

I just tried lynx to this website from firewall b.  I got there.  So 
firewall b will get to the site, but any machines behind firewall b can 
not. ?????

> 
> My guess is there's something peculiar that csplans.com is doing that
> makes it hiccup with speedfactory's nameservers.  I'd be surprised if
> there's very much amiss with your rules, because you probably would
> have noticed a problem earlier.  Unless, have you been changing your
> rulesets around lately?

I would like to believe that was the case, but why can I get to it from 
the two firewalls??

-- 
Until later: Geoffrey		esoteric at 3times25.net

The latest, most widespread virus?  Microsoft end user agreement.
Think about it...

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list