Hi, On 28 Mar 2001, at 7:32, Ashley wrote:
I'm still learning. Can you clearify for me about dns on your packet filter? What I gather from your ideal here is this:
There are three different scenarios: the first one is the (probably more common) situation where a private network behind a firewall has workstations that need to be connected to the internet. The second is one or more servers that need to be accessible from the internet. The third one is the server that needs to be accessible from the internet and the private network. All three scenarios have different requirements to the firewall.
- no nameserver runs on the filter. - the resolver on the filter does not point to internal (or DMZ even) nameservers. - /etc/hosts on filter lists localhost only.
That is right for the first scenario.
Does the packet filter need access to any nameservice at all?
I cannot see any reason why the packet filter needed DNS access from the security point of view. It might be convenient to resolve IP adresses of the log files, but that reduces security if it is done on the packet filter. There are even other things to be considered. Like for some installations it may be a requirement that the access to or from the internet must not be interrupted. In such cases an intruder with root rights must not have access to commands like rm, umount, shutdown, etc. This may not be too difficult for an installation with 24x7 onsite service as such commands can be kept on a removable medium that is only plugged in and mounted when needed, but to remotely adminstrate such a system requires intensive preparations like a remote controlled medium loader. In other installations it may be convenient at a trace of a breakin to automatically shutdown the firewall computer as the integrity of the internal data may be more valuable as the permanent internet access. mike