From owner-freebsd-security  Wed Dec 26 17:22:59 2001
Delivered-To: freebsd-security@freebsd.org
Received: from web11805.mail.yahoo.com (web11805.mail.yahoo.com [216.136.172.159])
	by hub.freebsd.org (Postfix) with SMTP id 90DDC37B405
	for <security@freebsd.org>; Wed, 26 Dec 2001 17:22:55 -0800 (PST)
Message-ID: <20011227012255.80858.qmail@web11805.mail.yahoo.com>
Received: from [207.1.27.52] by web11805.mail.yahoo.com via HTTP; Wed, 26 Dec 2001 17:22:55 PST
Date: Wed, 26 Dec 2001 17:22:55 -0800 (PST)
From: X Philius <xphilius@yahoo.com>
Reply-To: xphilius@yahoo.com
Subject: Re: Help with ipfw rules to allow DNS queries through
To: David Wolfskill <david@catwhisker.org>, security@freebsd.org
In-Reply-To: <200112261952.fBQJqe207151@bunrab.catwhisker.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

David,
I think I need to clarify the NAT setup. I have dedicated, fixed
external and internal IP addresses. As far as I know our Cisco router
just translates everything, without analysis, between my internal and
external addresses, in both directions. I assume you were talking about
the common office set up where everyone shares an internal, or an
external address.

Considering this, should the ruleset I posted eariler work? I am
currently using an external name server for resolution, but I will be
setting up named and using my own named for resolution.

Jason

--- David Wolfskill <david@catwhisker.org> wrote:
> You mention that you're behind NAT.
> 
> If you're also wanting to handle master (primary) or slave
> (secondary)
> nameservice, natd will need to be told what should happen to an 
> in-bound DNS query.  (You may want to think about this for a little
> bit.)
> 
> Depending on what the intended destination for incoming DNS queries
> is now,
> this may be challenging or nearly impossible....
> 
> Cheers,
> david



__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message