From owner-freebsd-isp Fri Mar 14 12:23:16 2003 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B76137B401 for ; Fri, 14 Mar 2003 12:23:13 -0800 (PST) Received: from skyweb.ca (smtp-1.vancouver.ipapp.com [216.152.192.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C92E43FAF for ; Fri, 14 Mar 2003 12:23:12 -0800 (PST) (envelope-from mjohnston@skyweb.ca) Received: from mjohnston ([209.5.243.50]) by smtp-1.vancouver.ipapp.com ; Fri, 14 Mar 2003 12:23:07 -0800 From: "Mark Johnston" To: "'Dan Mahoney, System Admin'" Cc: "'Tracy, John'" , Subject: Re: DNS Proxying based on source address Date: Fri, 14 Mar 2003 14:28:40 -0600 Message-ID: <005901c2ea68$4d4633e0$be0fa8c0@MJOHNSTON> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20030314133430.D39684-100000@prime.gushi.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Well, okay, you've overlooked the basic issue I'm having with > all of this. Yes, that was deliberate. I was trying to solve your problem rather than answer your question. :) From what I understand of your situation, messing around with DNS isn't necessary. Most things that people will want to do require TCP, so it seems reasonable to allow unrestricted UDP access. For instance, when an unregistered user boots up and heads to a web site, they'll resolve its real IP address, but the browser will still wind up with the registration page. The security hole involved in permitting UDP traffic seems comparable to the security hole inherent in the idea of trusting local users based on IP address. [snip] > reasonable, and what we want. But because there's no in-place > connection, I STRONGLY SUSPECT that the responses will go more like > > alias ip port 53 - - - > client machine. I'm afraid I don't have a spare box to test your suspicion on at the moment; you are probably better placed to find out for sure one way or another than I am. I only tested it personally using TCP. [snip] > this is the kicker, and the question I was asking about. Won't most > clients ignore the udp traffic if it's coming from an ip they didn't > make the request of? Remember, these are both reachable ip addresses > bound to ed0 or whatnot. Would I need not only an: > > ipfw add fwd 192.168.1.2,53 from authorizedclientip/32 to mainip:32 > > but also some means of rewriting the source address of those reply > packets? Yes, DNS clients should ignore traffic they didn't specifically request. The response needs to come from the same port and address that the request was addressed to. [snip] > Those are my thoughts. Has anyone here successfully proxied DNS using > ipfw fwd? I have not tried this; if you're bent on using fwd on your DNS traffic, some testing should clear up your questions regarding ports and IPs. Mark > > > > It sounds like transparent "proxying" is exactly what you > > > want. Here's > > > > my take on a solution for you - some parts of it I've > tested for a > > > > similar scheme, some parts are speculation. > > > > > > > > First off, please reread the paragraph of ipfw(8) > starting with "fwd > > > > ipaddr[,port]", just for reference. > > > > > > > > I'd start with an ipfw rule like the following, on the gateway: > > > > > > > > ipfw add 65000 fwd $GATEWAY tcp from $INTERNAL to any > > > > > > > > That grabs all incoming TCP traffic and redirects it to > > > your own box. > > > > This part I've tested before, in conjunction with > Apache - any web > > > > request, no matter the destination IP, will get a > response from your > > > > httpd. Other TCP traffic will hit your box and receive > a RST or no > > > > response, depending on your firewall rules. If you want to > > > get fancy, > > > > you can listen for other protocols and send custom messages. > > > > > > > > Once you've got that rule into place, it's pretty > > > straightforward to add > > > > rules to allow/NAT/whatever traffic on an IP-by-IP basis > > > for hosts that > > > > you want to let out: > > > > > > > > ipfw add 64900 allow tcp from $REGISTERED_IP to any > > > > > > > > and so on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message