Date: Sat, 28 Aug 1999 00:47:06 +0300 From: Evren Yurtesen <yurtesen@ispro.net.tr> To: Nathan Hackett <zhackett@tus.ssi1.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Firewall protected name server? Message-ID: <37C70759.DA7EB9D1@ispro.net.tr> References: <37C7011F.CE378E71@tus.ssi1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I am not a firewall expert but you should give your firewall's IP address at name records and all the packets coming to your firewall machine at the named port should be forwarded to the dns machine inside of the firewall that machine should be configured as the same as you would do if it was not behind the firewall but just it should have a nonreal IP address... there is an option in the ifpw for forwarding packages as far as I know. would you let me know if this kind of approach is working? I may try to implement this later in our network too. Evren Nathan Hackett wrote: > I am trying to achieve the following network topology. The man > page for route leads me to believe that this is possible using the -interface > option, but all attempts to make this work have failed. X.Y.Z represents > the public network subnet. The only addresses on this subnet that > are available here are X.Y.Z.50, X.Y.Z.51, and X.Y.Z.52 (.52 not used in this > example). > > (The Internet) > > | > > World Router > > X.Y.Z.1 > (Cisco) > > | | | | > +----------+----------+------------+----------+ Public > network > | > ed1 > X.Y.Z.50 > > FreeBSD > Firewall > > 10.0.0.1 > vr0 > | > +-----------+-----+-----+-----+-----+-----+-----+ > Unregistered Private > | | | | | | | | network > ed1 > X.Y.Z.51 > > NS1 > FreeBSD > Name server > > The trick is that the name server needs to be addressable from the > world, but protected behind the firewall also. All other clients on the > Unregistered network are 10.0.0.x. How do I setup the routing in the > firewall so that packets for X.Y.Z.51 go through vr0 and not ed1 like > the netmask for ed1 would imply? What should the ifconfig and route > entries in the rc.conf files look like for both the firewall and the > name server? > > Also, some more information about what the -interface option to the > route command really does would be nice. It does not seem to work as > advertised in the man page and in all the research I have done through > the mailing list archives, the answer is always "fix the netmask", but > this does not help my understanding of the -interface option. > > Thanks, > > /Nathan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37C70759.DA7EB9D1>