firewalls and DNS servers

[Tom Metro]

David Kramer wrote:
> I have a feeling I will have to somehow get rid of SuseFirewall2 and make
> my own iptables rules, but I don't think my iptable Kung Fu is up to that.

There are countless GUI front-ends for iptables, none of which I've 
tried, as I like servers not to be dependent on GUIs for configuration, 
and this product fits the bill:

FireHOL, the iptables stateful packet filtering firewall builder.
http://firehol.sourceforge.net/

It's implemented as a mini-language written using Bourne shell 
functions. Your config file gets "compiled" into iptables rules. A 
typical server config file is as simple as:

  version 5

  interface eth0 LAN
      policy reject
      server "smtp imap imaps dns syslog ntp samba http ssh icmp" accept
      client all              accept


But the language is expressive enough that you can set up DMZs, custom 
routing, and other custom rules.


> Side note: I *really* have to set up a dns server on my box now, because 
> I can't open any of my domain names from my intranet, because they all 
> go out and then back in.  I need to tell all my internal machines that 
> all of those addresses map to my server, which is now 192.168.1.2.

You solve that using a "split horizon" DNS setup [1].

I went through the effort of setting up tinydns [2] for that, but when I 
later went looking for a DHCP server I ran across Dnsmasq [3], which 
combines DNS content, cache, and DHCP server in one. I wouldn't 
recommend this for serving public DNS records, but it seems like a good 
fit for a private DNS/DHCP server on a LAN, and I plan to give it a try 
one of these days. A combined DNS/DHCP server has the added advantage 
that you aren't maintaining lists of IP addresses in two places.

Here's an article on using it:

http://www.enterprisenetworkingplanet.com/netos/article.php/3377351

  -Tom

[1] http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html
[2] http://www.tinydns.org/
[3] http://thekelleys.org.uk/dnsmasq/doc.html