On 5/20/07, Hal Vaughan <hal at thresholddigital dot com> wrote:
> I am considering specifying static addresses for the firewall/gateway
> and DNS only. Then when I have to use a tunnel from outside, have it
> go to the DNS computer which would forward it. I might do that with
> the workstation instead. I like the idea of only one system,
> preferably one without important data, being reachable from the outside
> and then being used as a relay. I don't know if that makes much of a
> difference, though.
Depends on how you would implement said relay. If it's something like
SSH tunneling where you have to authenticate to get to anything else,
that's definitely better. If it would be some sort of unauthenticated
relay, that's no better (and really adds unnecessary complexity and a
single point of failure).
> > > And since you're suggesting this, does that mean m0n0wall can't use
> > > host names?
> > That's correct.
> Any particular reason for that? (Just curious.)
It's difficult, for performance reasons and due to the underlying
software, to use DNS for any sort of NAT or firewall rules and have it
work effectively. The difficult part is obeying DNS TTL's and updating
the ruleset accordingly, or being able to process a ruleset without
querying DNS on every single packet which would drastically slow down