|
||||||||
On Fri, July 25, 2008 05:48, Manuel Kasper wrote: > On 25.07.2008, at 01:48, Chris Buechler wrote: > >> I believe ipfilter will randomize source ports by default on NATed >> traffic just like pf does, but I'm not sure of that. > > It doesn't, yet, so running a DNS server behind m0n0wall while using > PAT (not just 1:1 NAT) will undo the DNS server's query port > randomization. ipfilter 4.1.30 apparently does source port > randomization (from the change log: "2020447 IPFilter's NAT can undo > name server random port selection") - I'll wait for it to appear in > FreeBSD's CVS repository, and if it doesn't happen within a couple of > days, I'll go through the trouble of importing 4.1.30 myself. > > But this is an entirely different beast than Dnsmasq's own > randomization (which works fine in 1.3b13) - only people who run their > own recursive DNS server behind m0n0wall are affected. > > - Manuel > Great - thanks for the update. Will both DnsMasq and the ipfilter fixes be ported back to 1.2.x series ? (site says not to use 1.3beta for production - hence the question) Now the only other question remains - would it be worthwhile to set internal DNS servers to use m0n0wall's Dnsmasq as a forwarder to get around this temporarily ? I guess that might save a lot of sysadmin's work re-jigging a network with DHCP scopes for clients etc - or even having to "trust" 3rd party DNS servers. AM -- I'm not perfect, but I am forgiven. |