Re: [m0n0wall-dev] Re: [m0n0wall-commits] r397 - in branches/freebsd6: . phpconf/inc webgui

From:	Lee Sharp <leesharp at hal dash pc dot org>
To:	"m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall-dev] Re: [m0n0wall-commits] r397 - in branches/freebsd6: . phpconf/inc webgui
Date:	Fri, 16 Jul 2010 08:44:33 -0500

On 07/15/2010 09:19 PM, Chris Buechler wrote:

> This is a good change, though has some ramifications for how a lot of
> people use m0n0wall, it'll break a number of systems on upgrade. It
> stops responses (with private IPs) from the typical domain forwarding
> configuration, where for example you may use it for Active Directory
> or other internal name resolution. An option to disable it helps, but
> dnsmasq allows more flexible configuration options, such as excluding
> specific domains, which would be a nice option to have so you don't
> have to disable that protection entirely in such scenarios. pfSense
> automatically adds forwarded domains to the exclusion list since in
> the vast majority of cases those are going to return private IPs,
> might be a good idea to do that as it should eliminate virtually all
> breakage on upgrade while retaining the security benefits.
>
> At a minimum, I would definitely give a heads up in the release notes
> as to the effects of that change, so people know to disable it if
> it'll break their system.

If I am reading it correctly, it would break almost all of mine.

			Lee