On Fri, 2007-03-23 at 21:49 +0100, Matt Miller wrote:
I'm configuring a three-homed firewall, and I'm reading the official tutorial. From thatl tutorial it seems that the recommendation is to run offer intra-net clients DNS and NTP from the firewall itself. Installing all these services on the firewall seems to go against the conventional wisdom that internet-connected machines should offer as few services as possible. So, I'm wondering what the reasoning is here.
I've tried using PlugProxy for DNS and NTP, and that does work. I feel more comfortable proxying this traffic instead of running the services on the firewall, but it seems that the proxied DNS is causing a considerable slow-down for web surfing from my intra-net.
Both the solutions are working well. But let's think about security policy a bit. If you are using PlugProxy instead of Bind that means between the client and target zones all the protocols can get through which are using UDP. So you have to make a trade off between trusting a chrooted and restriced (running without capabilities) Bind and the plug. Slow-down DSN: in my opinion it must be miss-configuration.
Is it to be expected that PlugProxy for DNS is a performance problem? If so, is this a problem with proxied UDP in general?
It depends on the amount of udp traffic.
Is this performance problem the main reason that the tutorial recommends running DNS and NTP on the firewall?
No, we recommend using ntp and bind on a firewall because of the previously described reason. Regards, Péter HÖLTZL -- BalaBit IT Bizt. Kft | Tel: +36 1 371-0540 | GnuPG Fingerprint: holtzl.peter@balabit.hu | Mobil: +36 20 366-9667 | 2831 E951 B9EE 63BB F0F4 http://www.balabit.hu/ | Fax: +36 1 208-0875 | 2F4A 1EA4 4B12 7638 29C0