Re: Squid & Bind8 on the same box

On Tue, Mar 14, 2000 at 02:17:03PM +0200, Dave Wilson wrote:
> Hi there guy's, Howzit going?
>
> I'm running Squid2.2STABLE4 on a FreeBSD 3.4 platform, in transparent
> mode. It works brilliant !! & I've had no hassles at all with it. In
> fact it seems to run better on FreeBSD than it does with Linux. Now
> the thing is that I need to run Named (Bind8) on the same box too, I
> have installed Bind8 in the usual way and have setup all my zone
> files etc, and bound it to a secondary IP on the Lan card in the
> FreeBSD box using: "ifconfig fxp0 196.22.56.4 netmask 255.255.255.128
> alias".

Are you sure you want that netmask on a secondary IP?

I'm *not* sure it's wrong - my experience is that this is one of the
least consistent things from one UNIX to another, in terms of how
attributes of secondary IPs are handled. On the other hand, I have
definitely seen similar setups cause problems with other OS and
software combinations. (Anything up to "knocking down" virtual web
servers on a totally different server!)

> The hassle is that now i get an "access denied" message when trying to surf the net from any of my pc's.
> I have made no changes to my ACL's at all.

My best guess (and it's only a guess) is that this alias is somehow
changing what squid sees as the source IPs or ports on your connection.
Squid *may* be accepting the connections via the 196.22.56.4 address
and bypassing some of the transparent processing in ipnat or ipfw.

I'd say this calls for massive playing around with it until you've
figured it out. ;-)

Things to try:
  Take off the secondary IP and make Bind8 use your primary IP (this
should definitely work.)
  Try a /32 netmask on the secondary IP (255.255.255.255)
  Try binding the secondary IP to the loopback address instead of the
LAN card (also with a secondary IP.)

  -- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
      The named which can be named is not the Eternal named.