topherg's questions

I have decided to do a bit of spring cleaning, and am doing a refresh of some of my underlying infrastructure.

One of the critical components I am overhauling is the Network Gateway server. I updated my Test Environment (which is an identical, but lower power copy of my Production Environment), and all worked well, but when I applied the same to my Production system, the firewall-cmd rules do not persist between reboots.

I have to run the following commands at startup:

# firewall-cmd --remove-interface=eth0 --zone=public
# firewall-cmd --remove-interface=eth1 --zone=public
# firewall-cmd --remove-interface=eth0 --zone=public --permanent
# firewall-cmd --remove-interface=eth1 --zone=public --permanent
# firewall-cmd --add-interface=eth0 --zone=external
# firewall-cmd --add-interface=eth1 --zone=internal
# firewall-cmd --add-interface=eth0 --zone=external --permanent
# firewall-cmd --add-interface=eth1 --zone=internal --permanent
# firewall-cmd --complete-reload

At which point normal service is resumed. When I run # firewall-cmd --list-all-zones after reboot, both of the interfaces have left the internal and external zones, and have returned to the public zone.

Can someone shed some light on why these settings are not persisting?

I have been trying to install IPA on my CentOS system for several days, but I keep experiencing a problem with DNS forwarding, in that I am unable to get it working. I have tried this with two DNS namespaces:

• ost.local
• ost.example.com (where example.com is a domain I own, but have minimal access to, a web administration panel points that exact domain via an A record to my public IP)

When I install IPA, and ask ipa-server-install to configure BIND as well, which it does. But, when it asks for the forwarders, I enter 8.8.8.8 and 8.8.4.4 (I have also tried with my Router and ISP DNS addresses), but I get the following:

Do you want to configure DNS forwarders? [yes]:
Enter the IP address of DNS forwarder to use, or press Enter to finish.
Enter IP address for a DNS forwarder: 8.8.8.8
DNS forwarder 8.8.8.8 added
Enter IP address for a DNS forwarder: 8.8.4.4
DNS forwarder 8.8.4.4 added
Enter IP address for a DNS forwarder: 
Checking forwarders, please wait ...
ipa         : ERROR    Forwarder 8.8.8.8 does not work
Forwarder 8.8.8.8 does not respond

The install exits at this point, but if I perform the install without configuring DNS forwarders, I am able to, but I get this error when I try to configure the DNS forwarders from IPA:

If I connect via nslookup (either locally, or remotely), I can query the local zone, but if I request a record outside of the zone, I get:

# nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> google.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.206.100

> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> directory.ost.example.com
Default server: 127.0.0.1
Address: 127.0.0.1#53

Name: directory.ost.example.com
Address: 192.168.0.2
> google.com
Default server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find google.com: NXDOMAIN

here is dig @127.0.0.1 google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> @127.0.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3132
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 1470 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 06 10:11:47 GMT 2015
;; MSG SIZE  rcvd: 39

Does anyone have any ideas what is wrong?

My named.conf file looks like:

options {
        listen-on-v6 {any;};

        directory "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        forward first;
        forwarders { };

        allow-query { 127.0.0.1; 192.168.0.0/24; };

        recursion yes;
        allow-recursion { 127.0.0.1; 192.168.0.0/24; };

        tkey-gssapi-keytab "/etc/named.keytab";
        pid-file "/run/named/named.pid";

        dnssec-enable no;
        dnssec-validation no;

        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
                print-time yes;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

dynamic-db "ipa" {
        library "ldap.so";
        arg "uri ldapi://%2fvar%2frun%2fslapd-OST-EXAMPLE-COM.socket";
        arg "base cn=dns, dc=ost,dc=example,dc=com";
        arg "fake_mname directory.ost.example.com.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user DNS/directory.ost.example.com";
        arg "serial_autoincrement yes";
};

EDIT

here is a packet trace during an nslookup to microsoft.com via 127.0.0.1, but it still reported nothing:

# tcpdump -i eth0 udp port 53 -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:11:46.398533 IP (tos 0x0, ttl 64, id 30233, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.44598 > google-public-dns-a.google.com.domain: 16053+ [1au] NS? . (28)
11:11:46.398550 IP (tos 0x0, ttl 64, id 30234, offset 0, flags [none], proto UDP (17), length 70)
    directory.ost.example.com.28345 > google-public-dns-a.google.com.domain: 1718+% [1au] A? microsoft.com. (42)
11:11:46.399423 IP (tos 0x0, ttl 64, id 47839, offset 0, flags [DF], proto UDP (17), length 66)
    directory.ost.example.com.49824 > router.domain: 62950+ PTR? 8.8.8.8.in-addr.arpa. (38)
11:11:46.400157 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    router.25830 > directory.ost.example.com.domain: 18328+ [1au] NS? . (28)
11:11:46.400675 IP (tos 0x0, ttl 64, id 30235, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.61359 > google-public-dns-a.google.com.domain: 9755+% [1au] NS? . (28)
11:11:46.400860 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
    router.47804 > directory.ost.example.com.domain: 7806+% [1au] A? microsoft.com. (42)
11:11:46.401766 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110)
    router.domain > directory.ost.example.com.49824: 62950 1/0/0 8.8.8.8.in-addr.arpa. PTR google-public-dns-a.google.com. (82)
11:11:46.402049 IP (tos 0x0, ttl 64, id 47840, offset 0, flags [DF], proto UDP (17), length 71)
    directory.ost.example.com.46228 > router.domain: 16395+ PTR? 1.10.168.192.in-addr.arpa. (43)
11:11:46.402586 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    router.dj-ice > directory.ost.example.com.domain: 51438+% [1au] NS? . (28)
11:11:46.403149 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 91)
    router.domain > directory.ost.example.com.46228: 16395* 1/0/0 1.10.168.192.in-addr.arpa. PTR router. (63)
11:11:51.401318 IP (tos 0x0, ttl 64, id 12713, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.33381 > google-public-dns-b.google.com.domain: 47813+ [1au] NS? . (28)
11:11:51.401339 IP (tos 0x0, ttl 64, id 12714, offset 0, flags [none], proto UDP (17), length 70)
    directory.ost.example.com.15062 > google-public-dns-b.google.com.domain: 31947+% [1au] A? microsoft.com. (42)
11:11:51.401501 IP (tos 0x0, ttl 64, id 12715, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.21893 > google-public-dns-b.google.com.domain: 50112+% [1au] NS? . (28)
11:11:51.401690 IP (tos 0x0, ttl 64, id 47841, offset 0, flags [DF], proto UDP (17), length 66)
    directory.ost.example.com.36630 > router.domain: 10373+ PTR? 4.4.8.8.in-addr.arpa. (38)
11:11:51.403092 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    router.51126 > directory.ost.example.com.domain: 45362+ [1au] NS? . (28)
11:11:51.403831 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
    router.55917 > directory.ost.example.com.domain: 15092+% [1au] A? microsoft.com. (42)
11:11:51.404510 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    router.41956 > directory.ost.example.com.domain: 25944+% [1au] NS? . (28)
11:11:51.405130 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110)
    router.domain > directory.ost.example.com.36630: 10373 1/0/0 4.4.8.8.in-addr.arpa. PTR google-public-dns-b.google.com. (82)
11:11:56.400719 IP (tos 0x0, ttl 64, id 47842, offset 0, flags [none], proto UDP (17), length 70)
    directory.ost.example.com.domain > router.47804: 7806 ServFail 0/0/1 (42)
11:11:56.400754 IP (tos 0x0, ttl 64, id 47843, offset 0, flags [none], proto UDP (17), length 70)
    directory.ost.example.com.domain > router.55917: 15092 ServFail 0/0/1 (42)
11:11:56.401898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
    google-public-dns-a.google.com.domain > directory.ost.example.com.28345: 1718 ServFail 0/0/1 (42)
11:11:56.402396 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 70)
    google-public-dns-b.google.com.domain > directory.ost.example.com.15062: 31947 ServFail 0/0/1 (42)
11:11:56.402620 IP (tos 0x0, ttl 64, id 47844, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.domain > router.25830: 18328 ServFail 0/0/1 (28)
11:11:56.402630 IP (tos 0x0, ttl 64, id 47845, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.domain > router.dj-ice: 51438 ServFail 0/0/1 (28)
11:11:56.402655 IP (tos 0x0, ttl 64, id 47846, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.domain > router.51126: 45362 ServFail 0/0/1 (28)
11:11:56.402661 IP (tos 0x0, ttl 64, id 47847, offset 0, flags [none], proto UDP (17), length 56)
    directory.ost.example.com.domain > router.41956: 25944 ServFail 0/0/1 (28)
11:11:56.403645 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    google-public-dns-a.google.com.domain > directory.ost.example.com.44598: 16053 ServFail 0/0/1 (28)
11:11:56.403916 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    google-public-dns-a.google.com.domain > directory.ost.example.com.61359: 9755 ServFail 0/0/1 (28)
11:11:56.404643 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    google-public-dns-b.google.com.domain > directory.ost.example.com.33381: 47813 ServFail 0/0/1 (28)
11:11:56.404844 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 56)
    google-public-dns-b.google.com.domain > directory.ost.example.com.21893: 50112 ServFail 0/0/1 (28)

I have an Apache 2.4 server running as an SSL Reverse Proxy for a number of servers I have running, and I am introducing some Client Certificate Authentication for this.

However, there are many automated services that use this gateway and cannot be modified to use Client Certificates for authentication, but still require the Reverse Proxy.

Presently, to turn on Client Certificates, I am using:

SSLCADNRequestFile /.../my_ca.crt

SSLVerifyClient require

<Location />
    SSLOptions      +FakeBasicAuth
    AuthName        "Auth Only Area"
    AuthType        Basic
    AuthUserFile    /.../clientAuth.htpasswd
    require         valid-user
</Location>

which works fine.

But, is there any way that I can skip this for any requests that come from (for example) the IP address 12.34.56.78?