Re: [Masq] Firewall

Tue, 13 Feb 2001 01:07:33 -0800 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Felipe Vilarinho wrote:

> Hi everyone!
> 
> I have a LAN that has a Firewall to distribute packets from the Internet
> over my LAN. The Firewall also masquerade the machines behind it. Now come
> my problem! Has it ANY possibilities of a DNS server that is behind the
> Firewall becomes public for the Internet? I do some experience about that
> but no one works. Some one can help me?
> 
> My Firewall settings:
> 
> ipchains -P forward DENY
> ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0
> ipmasqadm portfw -f
> ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53

it's not a good idea. any public server should be in
a perimeter network or "demilitarised zone" outside you
main firewall. of course, there and should be another
firewall between the perimeter network and the outside
world.

um, that script doesn't look like a firewall. if that's
all of the script, then your input and output policies
and still ACCEPT which makes it a masquerading host not
a firewalling host. assuming that you want to keep it that
way, the only thing wrong that i can see is that you've
forgotten the udp port forwarding. almost all dns traffic
is udp, not tcp (i think only zone transfers (and maybe
replies conaining large amounts of data) use tcp).

so add:

  ipmasqadm portfw -a -P udp -L $PUBLICIP 53 -R $LOCALIP 53

note, you also have to make sure that your name server is
only using port 53 as its source port. old version of bind
did that, newer ones don't by default but they can be made
to. see the doco for your name server for details.

raf

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to