rndc across stateful firewall
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Wed Apr 4 22:19:58 UTC 2001
The rndc channel needs to be configured in named.conf.
named.conf:
key "rndc_key" { ... } ;
controls { inet ... keys { rndc_key; }; };
Mark
>
> I am trying to use rndc on a machine in our internal network to reload a
> machine in our DMZ segment across a Cisco PIX firewall. It looks at
> first glance like the very first reply packet from the rndc server sets
> the reset flag at which point the firewall closes the connection.
>
> %PIX-6-302001: Built outbound TCP connection 7872462 for faddr
> 10.0.141.4/953 gaddr 10.0.240.83/32951 laddr 10.0.240.83/32951
> %PIX-6-302002: Teardown TCP connection 7872462 faddr 10.0.141.4/953
> gaddr 10.0.240.83/32951 laddr 10.0.240.83/32951 duration 0:00:01 bytes 8
> (TCP Reset-O)
> %PIX-6-106015: Deny TCP (no connection) from 10.0.141.4/953 to
> 10.0.240.83/32951 flags RST ACK on interface inside
>
> Here is an example of another service that connects between these
> machines just fine.
> %PIX-6-302001: Built outbound TCP connection 7880170 for faddr
> 10.0.141.4/22 gaddr 10.0.240.83/32952 laddr 10.0.240.83/32952
> %PIX-6-302002: Teardown TCP connection 7880170 faddr 10.0.141.4/22 gaddr
> 10.0.240.83/32952 laddr 10.0.240.83/32952 duration 0:00:01 bytes 18387
> (TCP FINs)
>
> All machines here are using bind 9.1.1
>
> Has anyone else seen this problem? Is the ndc listener just not
> performing tcp handshaking by the book?
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list