> Well, it actually isn't a web server, it is a voice comms server
(teamspeak
> 2) and ssh/sftp.
>
> It is getting an address from the DHCP server on my Bering box. The
names
> are going to come from the DNS server running on the Bering box
(tinydns,
> getting its data from the dhcp server by way of dhcp_2_dns).
>
> My goal is to make sure the ports get forwarded the right way no
matter what
> IP address the DHCP server hands out. I just want to make sure this
isn't
> dangerous (or unadvisable for some other reason)
The inherent danger in using hostnames vs IP addresses is the potential
side effects. Remember the DNS resolution will occur *ONLY* when you
actually run the scripts to build the firewall rules. Once in place,
the IP's will not change, regardless of any updates to your DNS.
There's also the potential for hijacking the DNS traffic, or otherwise
modifying the name to IP mapping (DNS cache poisining and other tricks),
which could result in your firewall rules applying to the wrong IP.
Of course, you can have similar problems when using IP addresses if you
forget to update the entries when (not if!) you change your network
numbering.
All-in-all, I'd say you'd be fine using DNS entries provided the IP's
for your server systems are static, and the DNS info is loaded and
current when you're initializing your firewall rules, but that's not
what it sounds like you're wanting to do. Trying to track dynamic IP's
by using hostnames in your firewall rules (which is what it sounds like
you want) is not generally a good idea...try to get at least your server
systems configured with a static IP.
NOTE: You can still use DHCP to configure your server systems, you just
need to make a host entry for them so they always get the same IP. For
the ISC DHCP server, you just need a host statement in your subnet
declaration...part of my /etc/dhcpd.conf file which assigns a static IP
to my personal workstation for reference:
subnet 10.34.1.0 netmask 255.255.255.0 {
option routers 10.34.1.254;
option domain-name "private.network";
option domain-name-servers 216.171.153.188, 216.171.129.13,
216.171.129.14;
option netbios-name-servers 10.28.1.12;
option netbios-node-type 8;
range 10.34.1.65 10.34.1.191;
host cdsteinkuehler {
hardware ethernet 00:a0:c9:27:c4:69;
fixed-address 10.34.1.222;
}
}
Get the hardware address and hostname from your leases file
(/var/state/dhcp/dhcpd.leases). Note you can assign a static IP, and
still configure other networking parameters (like DNS servers,
netbios-node-type, etc) with DHCP...very handy.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
