Date: Wed, 25 Jul 2001 00:02:53 +0100 From: Richard Smith <rdls@satamatics.com> To: MurrayTaylor <taylorm@bytecraftsystems.com> Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw and DNS on point to point link Message-ID: <20010725000252.B1118@gaia.home.rdls.net> In-Reply-To: <01cf01c1141f$e69a5420$2a7627cb@bytecraft.au.com>; from taylorm@bytecraftsystems.com on Tue, Jul 24, 2001 at 07:06:18PM %2B1000 References: <01cf01c1141f$e69a5420$2a7627cb@bytecraft.au.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 24, 2001 at 07:06:18PM +1000, MurrayTaylor wrote: > Given that my DNS server is on the end of a frame relay > point to point link which has a a particular IP number set and I > have a Public IP number range assigned which I am using > for my hosts, should I block all DNS udp and tcp to the external > address? > > I currently have ipfw rules to alow both addresses to be > visible and I seem to get traffic to both, although the external one > gets most by quite a large margin. > > The public IP is the official DNS address. > > (ext) +-----------+ (int) > x.y.z.1 ------- x.y.z.2| ext int| a.b.c.1 ------- a.b.c.0/25 lan > | | > +-----------+ > > The box is my DNS master server, with an offsite secondary at my ISP. > There is no reference to the x.y.z.2 number in any DNS records. > However historically the x.y.z IP nos were allowed through the ipfw rules > and obviously some traffic has attached itself to the x.y.z numbers in the > past. > > So - can any see any good reason to hold open the x.y.z numbers? When the DNS server originates traffic on the external interface, it will use x.y.z.2 as the source address, as that is the address assigned to the that interface. Rich. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010725000252.B1118>