[c-nsp] DNS rewrite & global capabilities
Joe Maimon
jmaimon at ttec.com
Mon Jun 29 11:56:47 EDT 2009
Sam Stickland wrote:
> Roland Dobbins wrote:
>> But even more than that, putting your public-facing DNS (or any other
>> kind of server) behind a firewall is a very serious architectural
>> mistake; firewalls in front of public-facing servers provide no
>> security value whatsoever, and degrade the overall security posture
>> due to the issues denoted above.
> Roland,
>
> This seems to imply that the servers would need a second interface for
> management, with static routes over-riding the default? Is this your
> preferred approach?
>
> Sam
If you are using a linux host, not only is it simple enough to use dot1q
subinterfaces for internal vs. external interfaces, its also fairly
elegant to use policy routing.
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html
And while you are at it, you should consider adopting the approach that
all service addresses are to be only service addresses, put it on a
loopback interface.
Here is a simple little init.d script that makes linux pbr convenient.
#!/bin/sh
PATH=/sbin
# table needs to be defined in /etc/iproute2/rt_tables
table="special-exit"
function policyroute
{
if [[ "$1" != "" ]]; then
ip route $1 0.0.0.0/0 table $table via 192.168.0.14
ip route $1 192.168.0.0/28 table $table dev eth0
ip rule $1 from 192.168.0.0/28 table $table
fi
}
case "$1" in
delete | stop)
policyroute del
;;
add | start)
policyroute add
;;
restart | reload)
policyroute del
policyroute add
;;
*)
exit
;;
esac
More information about the cisco-nsp
mailing list