> I would run a firewall even for BIND alone on a box in case the box > gets compromised through BIND. Allowing remote access and DNS, then > dropping everything else as the general firewall policy should be > pretty straightforward. But with the IP on this particular BIND box > being public, it's really like any other server on the internet. Port > forwarding or NAT in that case would be unnecessary.
Do you mean a simple stateless ACL, or a stateful firewall? If you really mean a stateful firewall: Think about the effect of DNS queries - they are usually UDP based, and every new query is going to create state. Read up on state table exhaustion. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users