naïve question; using bind behind a outbound-only firewall

Simon Waters Simon at wretched.demon.co.uk
Fri Jan 31 10:41:43 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

linda w wrote:
> I have bind 8.x setup behind an outgoing-only firewall.  I'm using=20
> bind on a 'border machine' to serve IP's to isolated-subnet clients.  =
> The border machine can initiate outbound TCP UDP and ICMP traffic but =
> the only inbound data is "return" traffic ( on a TCP connection).  =
> Incoming UDP and ICMP packets are dropped by a transparent firewall =
> before the get to the
> border machine.
> 
> This has 'worked' for some time...

If this is a complete description I am quite surprised it works at all.

I assume you are letting in UDP responses to queries, even if you don't know it, or you must have some way of forcing TCP queries, and fail to see large parts of the DNS that only allow UDP queries.

You won't get UDP responses unless you asked UDP questions, if you ask UDP questions and get no answer you won't ask TCP questions.

I think you are confused - check these packets harder - or show us some, they may not be what you think they are.

Doesn't Rusty have a diatribe somewhere about blocking all ICMP packets - probably in the IPChains HOW-TO for Linux, but that is off-topic.

 Simon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+OlLlGFXfHI9FVgYRApfkAJ91ma66KKdnlTops4keUsBWzelMHQCgoJqM
+zK1OywH78dbC5F+wyhQAPI=
=QK88
-----END PGP SIGNATURE-----



More information about the bind-users mailing list