[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Domain objects
First i never used domain objects, see below, but i think it should be blah.da.ca.uu.net not .blah.da.ca.uu.net But as you can be sure which host are part of blah.da.ca.uu.net you should never use a domain object. What do you think can defend me of setting the reverse mapping for one of the address my DNS is authoritive for from like this: 1.2.3.4.in-addr.arpa. PTR .blah.da.ca.uu.net. So when my 4.3.2.1 address attempt to pass thru your firewall, that will be allowed because your firewall will ask MY DNS the full qualified name of 4.3.2.1. and MY DNS will return .blah.da.ca.uu.net and your rule allow anything ending with blah.da.ca.uu.net. Remember you dont have any control on someone else DNS and any Hacker having control of the DNS for his address can force the reverse mapping for those to anything he likes... At 16:40 2001-10-11 -0700, Eric I. Davis wrote: >I have defined a domain object so allow only computers from a >certain doamin to come through the firewall as such > >.blah.da.ca.uu.net > >The firewall seems to ignore the object. I have seen alot of docs say >that the domain objects dont work very well because the way reverse >DNS functions. Any comments or help would be appreciated. >-- >Eric I. Davis >NARAC >Lawrence Livermore National Lab >TelFax>private email [email protected] > >================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html >================================================================================ > > ------------------------------------------------------------ Yves Belle-Isle V.P. VE2YBI YB17 Email: [email protected] Responsable des Systemes Tel:Sogi Informatique Ltee. Fax:------------------------------------------------------------ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|