resolving locally

This is a discussion on resolving locally within the Linux Networking forums, part of the Linux Forums category; Hi, We have apache running a SSL site and a few name based virtual sites. This server sits in our ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page resolving locally

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 01-30-2004
Paddy
 
Posts: n/a
Default resolving locally
Hi,

We have apache running a SSL site and a few name based virtual sites. This
server sits in our DMZ. All names on the server resolve to private IPs via
hosts. The firewall maps public IPs to private IPs. All is working well
until now. We now need to do curl from one of the virtual sites to the
secure site. For some reason Apache is resolving the name to the Public IP
and the Firewall is stopping this from happening.
If (on the local machine) I ping the name of any of the sites I get a
response from the correct private IP. If I telnet the same name it tries to
connect to the public IP.
Why would ping return the IP from the hosts file yet Apache, Lynx and telnet
resolve to the public IP. I noticed in host.conf that multi was set to on, I
set this to off but it didn't help. In hosts.conf the order is hosts bind.

What am I missing?

TIA,

Patrick


Reply With Quote
  #2 (permalink)  
Old 01-31-2004
Cameron Kerr
 
Posts: n/a
Default Re: resolving locally
Paddy <patrick@scotcomms.co.uk> wrote:

NOTE: Have a look at my last comment first, I think that may the most
likely cause of some of your problems.

> Hi,
>
> We have apache running a SSL site and a few name based virtual sites. This
> server sits in our DMZ. All names on the server resolve to private IPs via
> hosts.

Are you using DNS at all?

I suggest that you give each side of the firewall a different domain
name, and then each uses it's own search record in /etc/resolv.conf
(btw, what is on resolv.conf?). Then, have an A or CNAME record for the
webserver registered in each domain if you need to have a access it via
a different IP address.

You're using name-based virtual sites, so DNS is fairly crucial, I would
have thought.

> The firewall maps public IPs to private IPs.

You mean you're doing port forwarding to get back through a NAT?

> All is working well until now. We now need to do curl from one of the
> virtual sites to the secure site.

So you're accessing what is essentially localhost? Is it accessing it
via 127.0.0.1, or the normal IP address?

> For some reason Apache is resolving the name to the Public IP
> and the Firewall is stopping this from happening.

You mean its dropping packets? Does it work when there are ONLY the
rules for NAT installed?

Check that the reverse DNS lookups resolve to what you expect.

> If (on the local machine) I ping the name of any of the sites I get a
> response from the correct private IP. If I telnet the same name it tries to
> connect to the public IP.

What rules exactly are installed in your firewall for doing NAT?

> Why would ping return the IP from the hosts file yet Apache, Lynx and telnet
> resolve to the public IP. I noticed in host.conf that multi was set to on, I
> set this to off but it didn't help. In hosts.conf the order is hosts bind.

hosts.conf is the old version. What is in /etc/nsswitch.conf? It could
be the two are not equal, and that ping is using the older hosts.conf,
while the rest is using the newer nsswitch.conf.

--
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!
Reply With Quote
  #3 (permalink)  
Old 02-02-2004
Paddy
 
Posts: n/a
Default Re: resolving locally
> NOTE: Have a look at my last comment first, I think that may the most
> likely cause of some of your problems.
>

> I suggest that you give each side of the firewall a different domain
> name, and then each uses it's own search record in /etc/resolv.conf
> (btw, what is on resolv.conf?). Then, have an A or CNAME record for the
> webserver registered in each domain if you need to have a access it via
> a different IP address.
>
This is a Hardware firewall, so I'm limited to its way of configuring it. It
has two ways of setting up the DMZ - 'Transparent' and NAT. Limitations on
the former meant I had to set it up as NAT.

> > The firewall maps public IPs to private IPs.
>
> You mean you're doing port forwarding to get back through a NAT?

No, The firewall maps the 'Public' IP to the 'Private' IP so it more like
'IP forwarding'.
>
> > All is working well until now. We now need to do curl from one of the
> > virtual sites to the secure site.
>
> So you're accessing what is essentially localhost? Is it accessing it
> via 127.0.0.1, or the normal IP address?

With it being curl from a virtual host to a SSL site we get away using the
IP the secure site runs on. However we've had to lower the SSL checking so
that it doesn't check the hostname.
I'd like to solve this problem so that we can increase the checking, and to
avoid problems in the future.

> > For some reason Apache is resolving the name to the Public IP
> > and the Firewall is stopping this from happening.
>
> You mean its dropping packets? Does it work when there are ONLY the
> rules for NAT installed?
Yes. Curl is trying to use the 'Public' IP so is trying to access the SSL
site on the firewall external interface. This is something that the firewall
won't allow, and I've no way of forcing it.

> Check that the reverse DNS lookups resolve to what you expect.
The DNS resolves to the 'Public' IP this is as it should be for everything
accept the server itself. It sould resolve to the private IPs in the host
file. unfortunately this to seems to be ignoring the host file.

> > If (on the local machine) I ping the name of any of the sites I get a
> > response from the correct private IP. If I telnet the same name it tries
to
> > connect to the public IP.
>
> What rules exactly are installed in your firewall for doing NAT?

With this firewall I get the following;
int->ext, int->dmz, ext->dmz, ext->int dmz->int dmz->ext. I can apply any
rules I like to these. Unfortunately what is happening in is basically
dmz->dmz(via ext). The firewall can't handle this.

> > Why would ping return the IP from the hosts file yet Apache, Lynx and
telnet
> > resolve to the public IP. I noticed in host.conf that multi was set to
on, I
> > set this to off but it didn't help. In hosts.conf the order is hosts
bind.
>
> hosts.conf is the old version. What is in /etc/nsswitch.conf? It could
> be the two are not equal, and that ping is using the older hosts.conf,
> while the rest is using the newer nsswitch.conf.

This seems to be it. My nsswitch.conf is as follows;

password: compat
group: compat
shadow: compat
hosts: files dns
network: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

As I said in my OP, my hosts.conf is 'order hosts bind', does this not
relate to the 'hosts: files dns' in the nsswitch.conf file.

Thanks for your help on this one.

--
Patrick


Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 04:49 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0