rndc across stateful firewall
Jim Reid
jim at rfc1035.com
Wed Apr 4 22:21:00 UTC 2001
>>>>> "Scott" == Scott Taylor <staylor at coloradomusic.com> writes:
Scott> I am trying to use rndc on a machine in our internal
Scott> network to reload a machine in our DMZ segment across a
Scott> Cisco PIX firewall. It looks at first glance like the very
Scott> first reply packet from the rndc server sets the reset flag
Scott> at which point the firewall closes the connection.
Scott> All machines here are using bind 9.1.1
Scott> Has anyone else seen this problem? Is the ndc listener just
Scott> not performing tcp handshaking by the book?
Of course not! Why would the server's OS have some special way of
handling incoming TCP connections that wasn't protocol compliant? And
if such a thing existed in the kernel's TCP/IP stack, why would the
rndc listener socket want to use it? [How would it know this feature
even existed?] It looks like there's something bad going on with the
firewall: perhaps some broken Network Address Translation or something
equally ugly and that's what causing the connection to be aborted. Or
maybe you're just seeing the remote name server rejecting the rndc
connection because it comes from an unwanted source?
If you want more help, show what's in named.conf and the name server's
logs. The firewall logs are not relevant or particularly useful. They
don't say who's connecting to what or what happened to the name
servers and rndc.
More information about the bind-users
mailing list