If you want a true secure firewall then you shouldn't run ANY services on
it.  If any service is compromised, that is the one box that can see network
traffic on both networks.

Either put DNS outside the firewall (internal can get to it by default), or
inside the firewall with a rdr rule (more risky, since it can result in a
machine vulerable inside your firewall).

----- Original Message -----
From: "Stan Pietkiewicz" <stanp@storm.ca>
To: <port-i386@netbsd.org>
Sent: Saturday, May 06, 2000 6:44 PM
Subject: Progress!!


> After 3 or 4 re-installs and an evening of make'ing the TIS firewall
> tolkit, I managed to get my 486-66 firewall up and running....
>
> I used a generic kernel, with IP forwarding turned off. The firewall can
> see inside and outside, but the only thing that goes through the
> firewall (for now) is http traffic. That'll change after I RTFM the TIS
> documentation, and continue configuring the permissions....
>
> Now I'm considering a DNS (slave) server on the firewall machine to pass
> DNS requests on to my provider.... Any thoughts??
>
> Stan
>
>
>