Hi everyone! I have a LAN that has a Firewall to distribute packets from the Internet over my LAN. The Firewall also masquerade the machines behind it. Now come my problem! Has it ANY possibilities of a DNS server that is behind the Firewall becomes public for the Internet? I do some experience about that but no one works. Some one can help me? My Firewall settings: ipchains -P forward DENY ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0 ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53
If that DNS-server has public IP then put it in DMZ... Felipe Vilarinho wrote:
Hi everyone!
I have a LAN that has a Firewall to distribute packets from the Internet over my LAN. The Firewall also masquerade the machines behind it. Now come my problem! Has it ANY possibilities of a DNS server that is behind the Firewall becomes public for the Internet? I do some experience about that but no one works. Some one can help me?
My Firewall settings:
ipchains -P forward DENY ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0 ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Jussi Jääskeläinen Email: jussi.jaaskelainen@audioriders.fi Audio Riders Oy Tel: +358-9-276 6820 direct: +358-9-276 68212 Järvihaantie 4 Mobile: +358-40-554 3689 FIN-01800 KLAUKKALA Fax: +358-9-879 8045 FINLAND WWW: http://www.audioriders.fi
Do you do NAT / PAT ?? -----Original Message----- From: Jussi Jääskeläinen [mailto:jussi.jaaskelainen@audioriders.fi] Sent: Monday, February 12, 2001 10:40 AM To: Felipe Vilarinho Cc: suse-security@suse.com Subject: Re: [suse-security] Firewall If that DNS-server has public IP then put it in DMZ... Felipe Vilarinho wrote:
Hi everyone!
I have a LAN that has a Firewall to distribute packets from the Internet over my LAN. The Firewall also masquerade the machines behind it. Now come my problem! Has it ANY possibilities of a DNS server that is behind the Firewall becomes public for the Internet? I do some experience about that but no one works. Some one can help me?
My Firewall settings:
ipchains -P forward DENY ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0 ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Jussi Jääskeläinen Email: jussi.jaaskelainen@audioriders.fi Audio Riders Oy Tel: +358-9-276 6820 direct: +358-9-276 68212 Järvihaantie 4 Mobile: +358-40-554 3689 FIN-01800 KLAUKKALA Fax: +358-9-879 8045 FINLAND WWW: http://www.audioriders.fi --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
At 08:34 PM 12/02/2001, you wrote:
Hi everyone!
I have a LAN that has a Firewall to distribute packets from the Internet over my LAN. The Firewall also masquerade the machines behind it. Now come my problem! Has it ANY possibilities of a DNS server that is behind the Firewall becomes public for the Internet? I do some experience about that but no one works. Some one can help me?
My Firewall settings:
ipchains -P forward DENY ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0 ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53
The short answer is that this is not currently feasible on Linux. The longer answer involves altering DNS packets as per a previous post. In anycase DNS is almost entirely UDP not TCP and your rules are forwarding tcp only. TCP port 53 is basically only used for large zone transfers between DNS servers, not for everyday DNS lookups I would suggest you run bind chrooted on the firewall itself. if you're feeling like compiling, then have a look at dents or djbdns Hope that helps --- Nix - nix@susesecurity.com http://www.susesecurity.com
High, ...
My Firewall settings:
ipchains -P forward DENY ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0 ipmasqadm portfw -f ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53
Don't forget that DNS queries are UDP not TCP. But you still need TCP for zone transfers (if really want and need them). Greetings, Stefan
participants (5)
-
Felipe Vilarinho
-
Jussi Jääskeläinen
-
Markus Schmid
-
Nix
-
Stefan Nauber