On Fri, July 25, 2008 05:48, Manuel Kasper wrote:
> On 25.07.2008, at 01:48, Chris Buechler wrote:
>> I believe ipfilter will randomize source ports by default on NATed
>> traffic just like pf does, but I'm not sure of that.
> It doesn't, yet, so running a DNS server behind m0n0wall while using
> PAT (not just 1:1 NAT) will undo the DNS server's query port
> randomization. ipfilter 4.1.30 apparently does source port
> randomization (from the change log: "2020447 IPFilter's NAT can undo
> name server random port selection") - I'll wait for it to appear in
> FreeBSD's CVS repository, and if it doesn't happen within a couple of
> days, I'll go through the trouble of importing 4.1.30 myself.
> But this is an entirely different beast than Dnsmasq's own
> randomization (which works fine in 1.3b13) - only people who run their
> own recursive DNS server behind m0n0wall are affected.
> - Manuel
Great - thanks for the update.
Will both DnsMasq and the ipfilter fixes be ported back to 1.2.x series ?
(site says not to use 1.3beta for production - hence the question)
Now the only other question remains - would it be worthwhile to set
internal DNS servers to use m0n0wall's Dnsmasq as a forwarder to get
around this temporarily ?
I guess that might save a lot of sysadmin's work re-jigging a network with
DHCP scopes for clients etc - or even having to "trust" 3rd party DNS
I'm not perfect, but I am forgiven.