Very Computer

Hi,

I've put this off for a while now (aversion to public displays of idiocy)
but have finally realised I must request help. I've built a tidy little
firewall (following *the* book) using OBSD2.8. Everything works perfectly
except that ppp -auto seems to dial out whenever it sees traffic inbound to
the firewall regardless of whether that traffic is destined for the machine
itself (i.e. me SSHing into the box from my private network) or for the
outside world.

This is by no means the end of the world but as our chums in British Telecom
chage us 5p to connect any call regardless of the length of that call, it's
getting expensive (I spend a lot of time SSHing in to learn).

I can provide any information about config. that's required and any help
would be gratefully received.

Regards.

Matt

thisbit..northis not required.

bastards, aren't they?

Quote:>I can provide any information about config. that's required and any help
>would be gratefully received.

well, this is a wild guess, but when things start dialing up for no reason
on any platform suspect DNS. bung in some number and name mappings in your
host file on the dial out server... and make sure the box your ssh-ing from
is included in the list.

if this solves the problem i'd strongly recommend you invest a little time
in setting up a proper caching DNS server on the dialout box anyway. this
will cut down on network traffic a little more/speed things up a bit.
there's an excellent little tutorial in the oBSD faq plus a few more on the
web.

finally, if that doesn't work, try checking your logs carefully and/or using
TCP dump to see what network traffic is being generated when  you use the
box.

good luck

cp
--
help prevent global warming  ---------------------->   http://www.stopesso.com/

Colonel,

Quote:> >This is by no means the end of the world but as our chums in British
Telecom
> >chage us 5p to connect any call regardless of the length of that call,
it's

> bastards, aren't they?

Yes. I should get cable but I like my Demon static IP too much :-).

Quote:

> well, this is a wild guess, but when things start dialing up for no reason
> on any platform suspect DNS. bung in some number and name mappings in your
> host file on the dial out server... and make sure the box your ssh-ing
from
> is included in the list.

Tthat makes good sense. I'll try logging into the console directly and do a
TCPDUMP while SSHing from somewhere else to prove it but in the meantime
I'll stick appropriate entries in there tonight (I'm a lazy *, I should
have done it ages ago).

Quote:> if this solves the problem i'd strongly recommend you invest a little time
> in setting up a proper caching DNS server on the dialout box anyway. this
> will cut down on network traffic a little more/speed things up a bit.
> there's an excellent little tutorial in the oBSD faq plus a few more on
the
> web.

Been meaning to do that, I've been a little concerned about sticking BIND on
there given how little I know about it (security wise) but I suppose that so
long as my ipf.rules is OK I should be safe (this right?).

Quote:

> finally, if that doesn't work, try checking your logs carefully and/or
using
> TCP dump to see what network traffic is being generated when  you use the
> box.

I'll do that anyhow, be useful for getting my head round it all.

Thanks for that, I'll report back how I get on.

Cheers.

Matt

thisbit..neither not required.

Quote:

> good luck

> cp
> --
> help prevent global warming  ---------------------->

http://www.veryComputer.com/

Hmm.

Added entries to hosts (firewall can ping the workstation by name OK). Sadly
though the problem still occurs.

So. I ran up "tcpdump -i tun0" in an already connected SSH term and started
another. Lo and behold, DNS requests were being fired to my local DNS
server. In other works you were spot on.

I've read the man pages for hosts & resolv.conf neither of which seems to
adequately explain the name resolution order. Do you know what order
attempts to resolve names are made in or is there an entry to resolv.conf
that I can make to force a check of hosts prior to hitting the DNS servers.
It seems to me that it is hitting the DNS servers before checking the hosts
file.

Either way, the next steps I'll be taking are 1) find something to show me
what's inside the packets being sent to the DNS server (Ethereal?) 2) Like
you say, get my arse into gear and learn BIND.

Thanks again for help already received (I'm on the right track now &
learning..... Honest) & TIA for any more ;-).

Regards.

Matt

PS. Am I right in saying that the load order for IPF, PPP and IPNAT should
be IPF, PPP, IPNAT or someother. The reason I ask is that I always have to
run "sh /etc/netstart" to get name resolution working from the private
network after the dial up connection has been made.

http://www.stopesso.com/

Hi,

Quote:> search my.internal-domain.net
> lookup file

That's sorted it (it's checking the hosts file first now, SSH also connects
immediately. I was wondering what the delay was), thanks to both of you. No
doubt I'll be back with more problems at a later date.

Cheers again.

Regards.

Matt

Lurker,

Thanks for that, I'll give it a shot tonight and add djbdns to the "learn
list". I take it that the hosts\resolve.conf config. is a generic BSD thing?

Regards.

Matt

Quote:> On my gateway box, my resolv.conf looks like this:

> search my.internal-domain.net
> lookup file
> nameserver IP-of-internal-name-server

> (The "search my.internal-domain.net" part is only there to overwrite
> the "search my-ISP-domain.net" string sent by my ISP's DHCP server).

> normally by putting either "lookup file" or "nameserver
> your-internal-name-server-IP" first, you should avoid dialing out.

> >Either way, the next steps I'll be taking are 1) find something to show
me
> >what's inside the packets being sent to the DNS server (Ethereal?) 2)
Like
> >you say, get my arse into gear and learn BIND.

> I don't want to start a holy war, but because I only wanted a small
> internal dns cache (and BIND's less than stellar reputation), I
> started using djbdns, small/efficient/simple. It has worked very well
> since, and I also started running a small nameserver for the LAN (with
> the same software suite). The dnscache is listening on the internal
> NIC, and queries the local server (listening on localhost) for local
> domain names. Works fine for a home LAN, haven't have any troubles
> with it.

> [snip]

On Wed, 30 May 2001 11:46:59 +0100, "Matt Povey"
<snip>

Quote:>> if this solves the problem i'd strongly recommend you invest a little time
>> in setting up a proper caching DNS server on the dialout box anyway. this
>> will cut down on network traffic a little more/speed things up a bit.
>> there's an excellent little tutorial in the oBSD faq plus a few more on
>the
>> web.
>Been meaning to do that, I've been a little concerned about sticking BIND on
>there given how little I know about it (security wise) but I suppose that so
>long as my ipf.rules is OK I should be safe (this right?).

<snip>

Better than that, you can set a "listen-on { localnets; };" type
directive in the named.conf file and have it only bind (heh pun :) )
to your internal interfaces.

BIND is the sort of thing you'll despise until you get the hang of it,
then it all seems to make sense and you begin to quite like it :) I've
not quite got the hang of DJB's warez yet as I haven't had the need
to, I'm hearing so many good things about it I might well sit down and
investigate one day :)

OT: You think BT suck? How about NTL? Next to impossible to get
unmetered access, and totally impossible to get broadband if you live
in the "wrong area" :(

--
vortex at caffeine dot darktech dot org
(caffeine.org.uk name has dns probs, box is back though :) )