Randy Kramer wrote: >civileme wrote: > >>If your primary concern is internet sharing, Mandrake has a wonderful >>product called SNF. You install it and let it run, and configure it >>from one of your other machines with a web browser. It can lock off >>domains or IPs and map popups into single transparent pixels, as well as >>restricting access in and out. >> > >civileme, > >1. Thanks for all your good help over the last year or so! Hope things >go well for you and you do find time to continue participating on the >newbie and expert lists! > >2. Just took a look at SNF >(http://www.mandrakesoft.com/products/snf/features), and noticed that it >does not mention DNS. I would have thought that it would be nice to run >a caching DNS server on that (on the premise that such would speed up >DNS requests out to the Internet, and that it would alleviate the need >for me to create a DNS server to serve my LAN). Is DNS included but not >mentioned, or if it is not included, is there some technical or security >related reason? > >regards, >Randy Kramer > > >------------------------------------------------------------------------ > >Want to buy your Pack or Services from MandrakeSoft? >Go to http://www.mandrakestore.com > Well, one of the SNF designers was Jay Beale, and his opinion was that a caching DNS server was a serious security risk. For a while the whole project hung because apache couldn't resolve things (it has its own built-in resolver) until it was decided to allow trusting the external DNS from the ISP. DNS packets have all sorts of built-in tunnelling dodges which is why DNS is often run from chroot jails...
I hand-tested SNF since until it was released it was a rather secretive project. It also makes no provision for a DMZ within the firewall. (That is, a zone of IP numbers within the firewall isolated from at least the outcgoing rules). MNF will be replacing it some time soon. I don't know if a DNS server will be allowed on it, but it will include _stateful_ firewalling which means that when a packet comes in it will be subjected to an expectedness test. Standard internet connection sharing does set up the DNS (forwarding) server, of course, but there is little way to make any significant change in SNF. People who griped about the lack of this or that feature soon found that hand-editing the usual config files did not work... (Those are reloaded from other files). It was really meant as a turnkey product highly configuiranle from the GUI supplied by a web browser on one of your local machines. Civileme
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
