[Discuss] web server can't see out but others can see in

[Edward Ned Harvey (blu)]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Eric Chadbourne
> 
> eric at webserver1:~$ ping google.com
> ping: unknown host google.com

That's a pretty conclusive dns failure...


> eric at webserver1:~$ ping 173.194.43.38
> PING 173.194.43.38 (173.194.43.38) 56(84) bytes of data.
> < hangs forever here >

I don't know what that IP address is, but it should be pingable.  The failure to reply certainly indicates an ICMP failure as well as DNS failure...


> eric at webserver1:~$ ping 10.0.0.15

Oh dear.  You should never use the 0 or 255 networks either.  While this is ok sometimes, the problem is:  Some devices just assume a netmask derived from the zero's, or just assume a broadcast because of the 255.  I had this situation (granted, 10 years ago) where my boss gave me a router, told me to configure the following networks (insert network diagram here).  It was a cisco router, and the syntax for creating the routes did not allow me to explicitly specify the netmask - The 10.0.0.0 was implied to be 10.0.0.0/8, while 10.1.1.0 was implied to be 10.1.1.0/24.  Hopefully this sort of thing is becoming antiquated and phased out in the modern day.


> eric at webserver1:/etc$ sudo tail -100 resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN
> nameserver 4.4.8.8
> nameserver 8.8.8.8

Google's nameservers are 8.8.8.8 and 8.8.4.4
That's a type-o.

Still, I think it's safe to conclude that your firewall is blocking both outbound ICMP and DNS.