From owner-freebsd-questions Tue Jul 24 16: 5:46 2001 Delivered-To: freebsd-questions@freebsd.org Received: from jezebel.demon.co.uk (jezebel.demon.co.uk [158.152.38.143]) by hub.freebsd.org (Postfix) with ESMTP id 5989737B408 for ; Tue, 24 Jul 2001 16:05:42 -0700 (PDT) (envelope-from rdls@jezebel.demon.co.uk) Received: (from rdls@localhost) by jezebel.demon.co.uk (8.11.1/8.11.1) id f6ON2rm01317; Wed, 25 Jul 2001 00:02:53 +0100 (BST) (envelope-from rdls) Date: Wed, 25 Jul 2001 00:02:53 +0100 From: Richard Smith To: MurrayTaylor Cc: freebsd-questions@freebsd.org Subject: Re: Ipfw and DNS on point to point link Message-ID: <20010725000252.B1118@gaia.home.rdls.net> References: <01cf01c1141f$e69a5420$2a7627cb@bytecraft.au.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01cf01c1141f$e69a5420$2a7627cb@bytecraft.au.com>; from taylorm@bytecraftsystems.com on Tue, Jul 24, 2001 at 07:06:18PM +1000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 24, 2001 at 07:06:18PM +1000, MurrayTaylor wrote: > Given that my DNS server is on the end of a frame relay > point to point link which has a a particular IP number set and I > have a Public IP number range assigned which I am using > for my hosts, should I block all DNS udp and tcp to the external > address? > > I currently have ipfw rules to alow both addresses to be > visible and I seem to get traffic to both, although the external one > gets most by quite a large margin. > > The public IP is the official DNS address. > > (ext) +-----------+ (int) > x.y.z.1 ------- x.y.z.2| ext int| a.b.c.1 ------- a.b.c.0/25 lan > | | > +-----------+ > > The box is my DNS master server, with an offsite secondary at my ISP. > There is no reference to the x.y.z.2 number in any DNS records. > However historically the x.y.z IP nos were allowed through the ipfw rules > and obviously some traffic has attached itself to the x.y.z numbers in the > past. > > So - can any see any good reason to hold open the x.y.z numbers? When the DNS server originates traffic on the external interface, it will use x.y.z.2 as the source address, as that is the address assigned to the that interface. Rich. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message