naïve question; using bind behind a outbound-only firewall
linda w
bind at tlinx.org
Thu Jan 30 23:53:44 UTC 2003
I have bind 8.x setup behind an outgoing-only firewall. I'm using=20
bind on a 'border machine' to serve IP's to isolated-subnet clients. =
The border machine can initiate outbound TCP UDP and ICMP traffic but =
the only inbound data is "return" traffic ( on a TCP connection). =
Incoming UDP and ICMP packets are dropped by a transparent firewall =
before the get to the
border machine.
This has 'worked' for some time...not always fast, but enough for the
few internals client machines I have. I've started doing traffic =
logging
in preparation for smarter FW rules and noticed many incoming UDP
packets from various and sundry NS's. They never reach the border =
machine
where they might do some good (or bad if they are random, forged UDP =
packets
that exploit something) since the border machine only gets information
back from NameServers it is actively querying via tcp.
I've goggled and search through net and local doc files but have come up
empty -- is there a way for me to set a flag when I do an outbound TCP
query to tell a remote NS not to bother with asynchronous UDP replies?
I feel like I'm wasting these other machines' bandwidth (and my own) and =
generating myself beaucoup log messages about rejected packets :-). I =
feel bad about rejecting all those packets, ya know.
Thanks -- I know my current "security policy" is primitive, but it's =
what I have to work within right now.=20
Linda
More information about the bind-users
mailing list