I've said it before, and I'll say it again: people around here are just
great. Many thanks for all the replies to my query (it's quoted at the end
of this message for those who missed it).
I had several requests for summaries, so here goes - apologies if I've
mis-interpreted and therefore mis-quoted anyone, but I think I've got it
just about right :-
Problem 1: 2-legged firewall; how to manage DNS
3 very similar suggestions from :
David Perlin <david @
Brian J Murrell <brian @
Mike Murphy <mrm @
These gentlemen suggested that I run a cut-down DNS on the firewall for
public queries; that I establish another DNS on a machine on the private
side for internal queries; the firewall resolver (as well as all the
internal hosts) points to the private DNS; the private DNS forwards queries
it can't answer back to the firewall.
This seems a perfect solution; thanks all.
Problem 2 : How to make sendmail masquerade as 2 completely different hosts
on 2 different ports.
>From Tim Roper <timr @
Instead of running sendmail in daemon (-bd) mode, run it behind inetd
tcp-wrappers with the 'twist' option in one-shot mode (-bs). This will allow
me to run a different command depending on the origin of the connection.
I like this solution - I actually use fwtk, so it will be netacl rather than
tcp-wrappers, but to the same effect - but I'm worried about the effect this
might have on performance - sendmail would load afresh for every incoming
connection - would this be a problem?
If anyone has an opinion on this, I'd like to hear it.
Thanks again to all who replied.
Original message follows :-
>I have a multi-homed host (Linux 1.1.74) acting as firewall between our
>Internet connection (Ethernet), the private LAN (also Ethernet) and a slip
>connection to a non-trusted domain. The Internet connection is behind a
>filtering router (Cisco).
>The firewall has a different IP address on each of the 3 interfaces .
>It also has 2 hostnames - well, actually 3 at the momment, migrating to 2
>when we get our own domain registered - currently we're piggybacking on a
>neighbour. These look like this :-
>193.x.x.x - internet - aaaa.bbbb.co.uk (to be gate.aaaa.co.uk)
>192.168.x.x - private LAN - gate.aaaa.co.uk
>44.x.x.x - SLIP - xxx.ampr.org
>I have various pieces of fwtk running,as well as CERN 3.0 httpd for proxy
>www access from the private LAN. I'm comfortable that I can configure these
>to suit my needs.
>The firewall host is to be primary nameserver for the new aaaa.co.uk domain.
>The domain will include one only registered IP address (from the neighbour's
>Class C), and many 192.168's.
>My problems are these :-
>Problem 1. When the new domain aaaa.co.uk gets registered (any day now), my
>firewall will have one hostname for the two ethernet IPs - 193.x.x.x and
>192.168.x.x. When queried from outside, the named will provide both
>addresses; only one is reachable; the other is highly dangerous. The
>internal hosts will never get queried (hopefully) so no problem.
>How can I avoid this situation?
>I see 2 solutions : 1. Call the private LAN something else and run separate
>zones in BIND (administratively a nightmare); 2. Register a class C for the
>lot, get the filtering and routing changed with the service provider, change
>the IPs on all the private hosts, all for only one internet-accessible host.
>What a waste of number-space.
>I don't like either of these - is there a trick I can do with BIND to sort
>Problem 2. This relates to sendmail (8.6.9). All 3 interfaces on my firewall
>host need to accept sendmail connections. I need to have sendmail masquerade
>with the 2 hostnames, depending on which port the connection comes in from.
>I'm not too concerned about the private LAN with this one, but the internet
>and the ampr.org interfaces must be different.
>Is there a firewall/sendmail guru out there who can advise me on this? I
>really need the two sides to behave as though they are 2 completely separate
>hosts - in the banner, the 'Received' headers, bouncing mail headers etc
>etc. I know a bit about sendmail.cf and can have it do rewrites and normal
>masquerades, but hhow can I have it answer and behave differently on the 2
>Thanks for any help - direct email probably best, I'll summarise if
Peter Bowyer - InSite Computer Technology Ltd
Tel: +44 635 861700 Fax: +44 635 861600