Firewall Setup?

Steve West stevewest15 at yahoo.com
Tue Dec 30 20:59:44 UTC 2003


We run our own Primary & Secondary DNS servers which are behind a firewall. The
name servers contain dns info for a few websites which are also located behind
this firewall. Basically, we need the following:

1. Allow the outside world to contact our dns servers for dns information for
only the sites which our dns server is responsible for (I've also setup
allow-query in named.conf to combat this).

2. Also need to allow local network users (behind the firewall) to use the dns
servers to browse the internet and send out e-mail. So, the dns servers behind
our firewall will need to have access to go outside our network to resolve
domains.

Incoming Traffic:

Rule #1:
   Allow incoming  TCP  s-port=NC   d-port=53  ->  IP of NS

Rule #2:
   Allow incoming  UDP  s-port=NC   d-port=53  ->  IP of NS

Rule #3:
   Allow incoming  UDP  s-port=53   d-port=NC  ->  entire network

Outgoing Traffic:

Rule #4:
   Allow outgoing  TCP  s-port=53   d-port=NC  ->  Our DNS IP

Rule #5:
   Allow outgoing  UDP  s-port=53   d-port=NC  ->  Our DNS IP

Rule #6:
   Allow outgoing  UDP  s-port=NC   d-port=53  ->  Internet

--------
I'm not sure if this is what I need or if I messed it all up. I'm especially
not clear if I need the UDP rules. The one that really scary's me is Rule #3
which I'm not sure if I even need it but I think I need it to allow local users
to fetch information from other dns servers but then again don't local users
query our local dns server which queries other dns which send response back to
local dns which sends info to local user. Did I loose you...because I'm lost
myself! ;-)

Any help is greatly appreciated and if something is unclear, please ask and
I'll be more than happy to clearify.

Thanks,

SW

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/


More information about the bind-users mailing list