[ previous ] [ next ] [ threads ]
 
 From:  Vince Van De Coevering <vpv at figaros dot com>
 To:  'Chris Buechler' <cbuechler at gmail dot com>
 Cc:  "'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] NATed services
 Date:  Tue, 1 Nov 2005 14:23:24 -0800
The solution is a piece of cake using views in BIND

acl "local" {
        localhost;
        127.0.0.1;
        192.168.111.0/24;  // Define your private IP
        192.168.0.0/24;    // range here
};

acl "fake" {
        0.0.0.0/8;      // Null Address
        1.0.0.0/8;      // IANA reserved (popular fake)
        2.0.0.0/8;
        224.0.0.0/3;    // Multicast Address
        10.0.0.0/8;     // Non routable IP addresses
        172.16.0.0/12;  // commonly used in DOS attacks
};
        blackhole { fake; };

view "internal" {
        match-clients { local; };
        // place zone files for domains to resolve
        // to local IP addresses here
}
view "external" {
        match-clients { any; };
        recursion no;
        // place zone files for domains to resolve
        // to their public IP here
}


Vince Van De Coevering
IT Manager
Figaro's Italian Pizza, Inc.
503-371-9318 x216
vpv at figaros dot com

> -----Original Message-----
> From: Chris Buechler [mailto:cbuechler at gmail dot com] 
> Sent: November 01, 2005 2:06 PM
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] NATed services
> 
> 
> On 10/30/05, Claudio Castro <ccastro at unr dot edu dot ar> wrote:
> > I was reading that due to ipfilter is not possible to access NATed
> > services by the public IP address from LAN, THAT'S VERY SERIOUS!...
> 
> no it's not.  that's a very common limitation of virtually every
> commercial firewall too.  not serious at all, it's trivial to work
> around.
> 
> -Chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>