From owner-freebsd-security Wed Dec 30 21:17:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA21179 for freebsd-security-outgoing; Wed, 30 Dec 1998 21:17:26 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA21170 for ; Wed, 30 Dec 1998 21:17:20 -0800 (PST) (envelope-from wes@softweyr.com) Received: from softweyr.com (zaphod.softweyr.com [204.68.178.35]) by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id WAA06797; Wed, 30 Dec 1998 22:14:41 -0700 (MST) (envelope-from wes@softweyr.com) Message-ID: <368B0840.96FC6A6C@softweyr.com> Date: Wed, 30 Dec 1998 22:14:40 -0700 From: Wes =?iso-8859-1?Q?Peters=D4?==?iso-8859-1?Q?=40=21=EA?= =?iso-8859-1?Q?=80?==?iso-8859-1?Q?=EA?==?iso-8859-1?Q?=80=DD=E7?= =?iso-8859-1?Q?=805=EA?==?iso-8859-1?Q?=C0?==?iso-8859-1?Q?=EA?= Organization: Softweyr llc X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Dean CC: Mike Holling , freebsd-security@FreeBSD.ORG Subject: Re: ipfw and DNS References: <368AF355.F8AA6397@thegrid.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dean wrote: > > Mike Holling wrote: > > > I have the same question you do about DNS. One of my clients is using a > > machine to IP masquerade his LAN onto the Internet via DSL link. His > > provider believes they will be able to successfully keep people from > > "running servers" by monitoring traffic and probing connected machines. > > Thus, they state that if they detect a DNS server running on his machine > > they will charge him $500/mo extra. Right now the machine is running a > > local caching server for the LAN, and I can't think of any good way to > > keep external machines from querying it while still allowing responses > > from other DNS servers back in. Please let me know if you get any good > > answers. > > > > Thanks, > > > > - Mike > > That is pretty strange. I can't think of any way to keep the dns server > secret from the network provider. The DSL interface is probably on ethernet. If your friend is using natd on a dedicated machine, he could try natd -deny_incoming, which discards packets bound to the natd machine itself. Another solution would be to install ipfw and deny inbound connections to DNS. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message