Re: BIND and iptables config
On Fri, Feb 16, 2018 at 04:26:14AM +0100, Rodary Jacques wrote:
> Le jeudi 15 février 2018, 11:44:36 CET Henning Follmann a écrit :
> > On Thu, Feb 15, 2018 at 05:01:52PM +0100, Rodary Jacques wrote:
> > > With NetworkManager, /etc/network/interfaces has only the loopbak interface, and I can't use wicd which can't deal with two wired interfaces. And, Henning Follmann, my English is too poor to explain clearly my setup which is the standard one when your ISP gives you one routable address and you want your home LAN to have access to internet.
> > > Thanks for your interest anyway.
> > > Jacques
> > >
> >
> > Hello,
> > no your english was good enough to describe your setup. And I would say
> > that 90% of "us" have a form of "dialup" with on routable ip address and a
> > NAT setup.
> > First bind is not "standard" in this kind of situation and makes things
> > overly complicated. I would recommend dnsmasq instead. It is much more
> > staight forward for a NAT box to setup. It will also provide you with a
> > dhcp server.
> > And in your situation you also want to disable/avoid the NetworkManager.
> I told before that wiced can't deal with two wired interfaces.
That is not true, but lets ignore this for now.
> > It is quite easy because evry device you list in /e/n/i
> i don't know ( with my poor English :-)) what is /e/n/i
Again your English is fine it's me being lazy.
/e/n/i is short for /etc/network/interfaces
This is the "old" way to configure your network interfaces.
> > will be
> > automaticaaly ignored by the NetworkManager.
> > And clearly because you have difficulties in setting this up doesn't make
> > all of this a bug.
> I don't find it normal to try to use interfaces before they are up! It's obvously not a bug, but it's just telling users they shouldn't try to understand. When I fist tried Debian in april 2016, with Jessie, I read in the bind9 doc something like "there are some issues about changing bind9 configuration, as future upgrade will loose your changes". without any more details.
Again, everything is behaving as expected. It is how you do things. And to
repeat myself, bind is not best in this situation. But if you insist in
using bind make sure it listens on your inside network interface, which
should be up without delay. You do not want ( and most likely neither does
your ISP) a full recursive resolver on your public interface.
You insisting to stick to this setup because you already invested too much
time in it is kind of stubborn (and I thought that was a German trait). You
either have to invest a lot more time to understand this or you could
switch to something more suited like dnsmasq.
> > Also I want to mention to setup a router with Red Hat or with debian is
> > possible but there a distributions which are much more suited for this purpose.
> I switched to Debian not to find it easier (Redhat wasn't) but because of safety and coherence.
> But NetworkManager, which was on Fedora long before that on Debian, did not the stupid things it does with resolv.conf and interfaces.
You most likely have resolvconf installed which updates /etc/resolv.conf.
Anything you change in there will be overwritten whenever something happens
on any network device.
> > I personally like pfsense and opnsense. Both are based on BSD but
> > they are excellent for SOHO routing.
> Thanks to Wikipedia, I understood SOHO :-Da
And have you looked up OPNSense or pfsense?
-H
--
Henning Follmann | hfollmann@itcfollmann.com
Reply to: