Re: [OT?] Firewall problems

Bill Tangren <bjt@xxxxxxxxxxxxxxxx> · Thu, 15 Dec 2005 15:40:59 -0500

Mike Klinke wrote:

On Thursday 15 December 2005 10:15, Bill Tangren wrote:

Our firewall administer says he does the reverse lookups to
prevent/minimize spoofing.
My question is, what is SOP for firewall reverse lookups?

I'd have to ask the purpose of the web site?  If it's for the 
general public or you're bond legally to provide public access then 
reverse look-ups are a bit silly but if the web site is primarily 
for the DOD, and your DOD partners are expected to have reverse DNS 
set up properly, with only peripheral access by the public then 
reverse look-ups may not be a bad idea.
Regards, Mike Klinke

Most of it is for the general public. Some is DoD only, but I have that 
protected on the server itself. I don't rely on the firewall, seeing as I don't 
control it, and I have little faith in his (the firewall administrator's) 
knowledge and abilities (he initially told me he wasn't doing ANY DNS lookup, 
until I proved otherwise).
The firewall admin feels that its the user's problem if they can't get access. 
He won't change his policies. He told me so himself. Loudly.
Meanwhile someone, eventually, will go to their congressman and complain, and it 
will by my a** in the sling.
I asked the question to find out if it is considered industry best practice to 
do reverse DNS lookup on a firewall. If it is not, I might be able to use that 
to bolster my argument that he stop doing so himself, at least on port 80 traffic.
**The irony here is that the reverse lookup for the firewall is screwed up, and 
all of our email is bouncing from any server that does reverse dns lookup. 
Poetic justice, I guess.**
Thanks for the response.
Bill
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Re: [OT?] Firewall problems

Relevant Pages