[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bind-users
Subject:    =?utf-8?Q?na=C3=AFve_question;_using_bind_behind_a_outbound-only_firewall?=
From:       "linda w" <bind () tlinx ! org>
Date:       2003-01-30 23:53:44
[Download RAW message or body]


I have bind 8.x setup behind an outgoing-only firewall.  I'm using 
bind on a 'border machine' to serve IP's to isolated-subnet clients.  The border \
machine can initiate outbound TCP UDP and ICMP traffic but the only inbound data is \
"return" traffic ( on a TCP connection).  Incoming UDP and ICMP packets are dropped \
by a transparent firewall before the get to the border machine.

This has 'worked' for some time...not always fast, but enough for the
few internals client machines I have.  I've started doing traffic logging
in preparation for smarter FW rules and noticed many incoming UDP
packets from various and sundry NS's.  They never reach the border machine
where they might do some good (or bad if they are random, forged UDP packets
that exploit something) since the border machine only gets information
back from NameServers it is actively querying via tcp.

I've goggled and search through net and local doc files but have come up
empty -- is there a way for me to set a flag when I do an outbound TCP
query to tell a remote NS not to bother with asynchronous UDP replies?
I feel like I'm wasting these other machines' bandwidth (and my own) and generating \
myself beaucoup log messages about rejected packets :-).  I feel bad about rejecting \
all those packets, ya know.

Thanks -- I know my current "security policy" is primitive, but it's what I have to \
work within right now. 

Linda


[prev in list] [next in list] [prev in thread] [next in thread]