/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
raf wrote:
> Felipe Vilarinho wrote:
>
> > Hi everyone!
> >
> > I have a LAN that has a Firewall to distribute packets from the Internet
> > over my LAN. The Firewall also masquerade the machines behind it. Now come
> > my problem! Has it ANY possibilities of a DNS server that is behind the
> > Firewall becomes public for the Internet? I do some experience about that
> > but no one works. Some one can help me?
> >
> > My Firewall settings:
> >
> > ipchains -P forward DENY
> > ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0
> > ipmasqadm portfw -f
> > ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53
>
> it's not a good idea. any public server should be in
> a perimeter network or "demilitarised zone" outside you
> main firewall. of course, there and should be another
> firewall between the perimeter network and the outside
> world.
>
> um, that script doesn't look like a firewall. if that's
> all of the script, then your input and output policies
> and still ACCEPT which makes it a masquerading host not
> a firewalling host. assuming that you want to keep it that
> way, the only thing wrong that i can see is that you've
> forgotten the udp port forwarding. almost all dns traffic
> is udp, not tcp (i think only zone transfers (and maybe
> replies conaining large amounts of data) use tcp).
>
> so add:
>
> ipmasqadm portfw -a -P udp -L $PUBLICIP 53 -R $LOCALIP 53
>
> note, you also have to make sure that your name server is
> only using port 53 as its source port. old version of bind
> did that, newer ones don't by default but they can be made
> to. see the doco for your name server for details.
disregard this last paragraph. it only applies when you
actually have a firewall and strict dns rules.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
