Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Firewall
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Mon, 12 Feb 2001 23:55:58 +1100
  • Message-id: <5.0.2.1.0.20010212235306.00a83438@xxxxxxxxxxxxxxxxxxxx>
At 08:34 PM 12/02/2001, you wrote:
Hi everyone!

I have a LAN that has a Firewall to distribute packets from the Internet
over my LAN. The Firewall also masquerade the machines behind it. Now come
my problem! Has it ANY possibilities of a DNS server that is behind the
Firewall becomes public for the Internet? I do some experience about that
but no one works. Some one can help me?

My Firewall settings:

ipchains -P forward DENY
ipchains -A forward -j MASQ -s $LOCALNET -d $INTERNET -i eth0
ipmasqadm portfw -f
ipmasqadm portfw -a -P tcp -L $PUBLICIP 53 -R $LOCALIP 53

The short answer is that this is not currently feasible on Linux.

The longer answer involves altering DNS packets as per a previous
post.
In anycase DNS is almost entirely UDP not TCP and your rules are
forwarding tcp only.
TCP port 53 is basically only used for large zone transfers between
DNS servers, not for everyday DNS lookups

I would suggest you run bind chrooted on the firewall itself.
if you're feeling like compiling, then have a look at dents or djbdns

Hope that helps


---
Nix - nix@xxxxxxxxxxxxxxxx
http://www.susesecurity.com


< Previous Next >
References