Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Domain objects

To: [email protected]
Subject: Re: [FW-1] Domain objects
From: Yves Belle-Isle <[email protected]>
Date: Fri, 12 Oct 2001 08:18:19 -0400
Comments: cc: "Eric I. Davis" <[email protected]>
In-reply-to: <p05010454b7ebdd604a70@[128.115.51.46]>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

First i never used domain objects, see below, but i think it should
be blah.da.ca.uu.net not .blah.da.ca.uu.net

But as you can be sure which host are part of blah.da.ca.uu.net you should
never use a domain object. What do you think can defend me of setting
the reverse mapping for one of the address my DNS is authoritive for from
like this:

1.2.3.4.in-addr.arpa. PTR .blah.da.ca.uu.net.

So when my 4.3.2.1 address attempt to pass thru your firewall, that will
be allowed because your firewall will ask MY DNS the full qualified name
of 4.3.2.1. and MY DNS will return .blah.da.ca.uu.net and your rule
allow anything ending with blah.da.ca.uu.net.

Remember you dont have any control on someone else DNS and any Hacker
having control of the DNS for his address can force the reverse mapping
for those to anything he likes...

At 16:40 2001-10-11 -0700, Eric I. Davis wrote:
>I have defined a domain object so allow only  computers from a
>certain doamin to come through the firewall  as such
>
>.blah.da.ca.uu.net
>
>The firewall seems to ignore the object. I have seen alot of docs say
>that the domain objects dont work very well because the way reverse
>DNS functions. Any comments or help would be appreciated.
>--
>Eric I. Davis
>NARAC
>Lawrence Livermore National Lab
>TelFax>private email [email protected]
>
>================================================================================
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>================================================================================
>
>

------------------------------------------------------------
Yves Belle-Isle V.P. VE2YBI YB17        Email: [email protected]
Responsable des Systemes                Tel:Sogi Informatique Ltee.                 Fax:------------------------------------------------------------

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW-1] Domain objects
  - From: "Eric I. Davis" <[email protected]>

Prev by Date: Re: [FW-1]
Next by Date: Re: [FW-1] NAT Problem
Previous by thread: [FW-1] Domain objects
Next by thread: Re: [FW-1] Domain objects
Index(es):
- Date
- Thread