hi all..
i probably should have added that the dns was for the
internet side...not local dns for local machines...
and yes..its always a problem when they dont have the $$$$
for separating fw, dns, email, web, home server, db server,
backup servers, log server, pop3, ppp, etc
- so which servers do you combine ???
( gets bad when they have their minds pre-defined already )
- even a 486-based machine would be fine for most small corp
to run as dns or as simple "standalone" firewall...
have fun linuxing ... :-)
alvin
On Mon, 7 May 2001, Hiemstra, Brenno wrote:
> <..snip..>
>
>
> i've heard the argument that dns should be part of the firewall
> because ... to send email or web to foo.com ... it has to go
> find the dns server first... than it will go to wherever its
> directed ...thru the firewall next...
> - and the problem is people like to attack the dns servers
> - and you're lucky, it might have a backdoor into the lan...
> - or whatever it might tell you...
>
> <..snip..>
>
> Some comments from my part...
>
> You don't run DNS on the firewall... at least not a server. you
> can sure
> user it to resolve DNS addresses locally... I would not advise to
> use your
> firewall as a resolver for your internal LAN.
>
> The best way is to use a seperate DNS system which resolves for your
> internal
> LAN and othet systems (mail, http, etc, etc). If if the DNS server
> is only resolver
> then access from the outside isn't necessary.
> so you can make a rule that only DNS traffic is allowed to go out of
> your network and
> only IN your network if the connection is in the firewall it's state
> table (if you use a statefull
> inspection based firewall -- which I would prefer).
>
> If people attack your DNS servers then your firewall isn't
> compomised only the
> DNS server. Access to the LAN isn't necessary... you just have
> to build a DMZ which
> seperates your internet systems from your local lan systems.
>
> that's about it...
>
> Just remember one thing...
>
> Don't run services (DNS, sendmail) on your FW unless you have a $$$
> problem that you can't affort more
> systems to do the work. It can be used to compromise your FW and
> therefor have a leap into your
> LAN / DMZ.
>
> Have fun BSD-ing
>
> Brenno
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
