I have 4 subnet's that each have their own interfaces (LAN, OPT1, OPT2,
OPT3) and are the gateway for each of the subnets. I have development and
backend t1 access on the LAN net, webservers on the opt1 net, app and
database servers on opt2 and the mail servers are on opt3.
I intend to make it so that each of these subnets has limited filtered port
access to one another. Everything is working fine so far but I wanted to
throw out some questions just to get them out of the way.
1. If I want to resolve dns (via the dns forwarder) from OPT1 net, 2 net and
3 net do I need to add a rule to allow access to the LAN interface IP from
those networks? Or does the dns forwarder listen on all the OPT interfaces
as well? If not, can it?
2. Does the dns forwarder allow reverse dns entries? Its nice to be able to
just put all my server dns entries in the firewall rather than having to add
all the servers to eachothers /etc/hosts files; however, without reverse dns
lookup you'd get that nice few second hang while it attempts to reverse
resolve the hostname. If the daemon does support it might be nice to have a
checkbox when adding an entry if you want reverse dns to be proxy/forwarded
as well. Its understandable that this is alittle more feature then is
needed in the firewall. Same could be said for mutliple ip's per hostname
if that isn't supported.
3. What exactly are the differences between the LAN and OPT interfaces? As
far as I can tell it is:
a) various fw services listen only on LAN ip.
b) LAN has access to all OPT nets (how is that done? is it because of
the default rule thats added?)
c) others?
.. possible feature request
Its possible to name all the OPT interfaces however you'd like. It would
also be nice to be able to rename the LAN and WAN interfaces to be more
descriptive.
sorry for all the newbie questions.. this is my first time setting up any
kind of firewall.
