Mailing List SIMS@mail.stalker.com Message #9561
From: Michael A. Pasek <mike001@michael-pasek.com>
Subject: Re: "your name is not...."
Date: Sat, 10 Nov 2001 08:25:56 -0600
To: <SIMS@mail.stalker.com>
In SIMS Digest #1540, Bill Cole <listbill@scconsult.com> wrote:
[stuff deleted]
BUT IT IS!  The IP address in the packet (10.10.20.1) resolves correctly
to that name.

But whoever owns that domain says that its address is 216.17.75.210.

(I am guessing that might be you...)

Yes, it is.  Because I'm running a split DNS, for _you_ "lalonde" resolves
to 216.17.75.210.  From where I -- and SIMS -- sit (internally), "lalonde"
resolves to 10.10.10.1.

SIMS doesn't do reverse lookups, because reverse lookup are generally
meaningless. SIMS already knows that you are using that IP address, so there's
a reasonably good chance that you can make the reverse lookup say whatever you
want it to say. The HELO argument check is a forward lookup to verify whether
you MIGHT be lying about your name: if it checks out then it is certain that
whoever controls the name agrees with the user of the IP address on that
mapping.

Ah, of course!  It is my current architecture that causes this......

Because I foresee a day when I will have more machines on "internal"
network, I wanted to set up the IP addressing such that when I _do_ stick
a router in place between my firewall and other "internal" network segments,
I won't have to go around and re-do the TCP/IP settings on all my Macs.
To accomplish this, the firewall itself (which is also my DNS server) is
10.10.10.1.  I plan on having the interface of the (future) router on
the side that "faces" the firewall be 10.10.10.2, and the interface on
the side that "faces" the "internal" network be 10.10.20.1.  So, in
TCP/IP settings, the DNS server is 10.10.10.1, and the gateway is 10.10.20.1.

Since I don't have that router yet, 10.10.20.1 is an alias IP address on
the "internal" interface of the firewall.  And that explains the why I'm
getting the message;  the internal DNS resolves "lalonde.michael-pasek.net"
to 10.10.10.1 (its _native_ address), while the SIMS box sees 10.10.20.1
(the firewall TCP/IP software, if there are multiple IP addresses for an
interface, will use the one most appropriate as the source -- since I'm
sending to SIMS at 10.10.20.2, it will use the 10.10.20.1 address as the
source, rather that its native 10.10.10.1).

[intervening stuff deleted]

Given your protected situation, SIMS 1.7 is not broken (since the only changes
I can recall are meaningless to a protected machine) but the upgrade takes
about 20 seconds longer than the download time. And it won't change this
behavior.

Actually, I've already downloaded it, just haven't upgraded it yet.

Thanks for your on-the-mark response, Bill!

Michael A. Pasek
Pasek Consulting, Inc.
9741 Foley Boulevard NW
Coon Rapids, MN  55433-5616
(612) 597-5977
mike001@michael-pasek.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster