Re: pf problems

["robert schwartz" <robert@mrsquirrel.com>]

You need "split DNS" (split-brain DNS, split-horizon DNS, or BIND9
"view").  Have 1 DNS server inside the firewall for all your internal
clients.  Put your internal addresses in there (192.168's).  Use that
server when you're "inside" and all will be well.  Keep the external DNS
as-is.  Do not let them know about each other.



> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] 
> On Behalf Of obsd
> Sent: Friday, October 17, 2003 2:41 PM
> To: misc@openbsd.org
> Subject: pf problems
> 
> 
> I am using OpenBSD 3.3 as a company firewall.  I have looked 
> for an answer but have not found it.  I am sure it is simple 
> and I am overlooking it.
> 
> Our webservers are behind the firewall, and several different 
> rdr and nat rules work fine, from the outside.  From inside 
> the 192.168.x.x. network, I cannot resolve the FQDN, I have 
> to use the 192.168.x.x address to get to the server.
> 
> Some new applications have been built that need to use the 
> domain name, and from the outside they work, but from behind 
> the firewall, they don't resolve.  I understand that the 
> requests from inside are most likely being denied by the 
> firewall since it does not know what to do woth them, but I 
> do not know the solution.  I have tried binat rules in the 
> pf.conf in accordance with the pf faq, as it sounds like the answer:
> 
> web_serv_int = "192.168.1.30"
> web_serv_int = "public ip"
> 
> binat on em0 from $web_serv_int to any -> $web_serv_int
> 
> but I continue to get the same error, ie. the connection at 
> work is refused by the webserver.  My thinking is because the 
> internal nic has no idea what to do with these requests, 
> since nat is done from the ext interface.
> 
> I am willing to learn from my mistakes if someone can just 
> point me in the right direction.
> 
> brian