[OT?] Firewall problems
Bill Tangren
bjt at aa.usno.navy.mil
Thu Dec 15 20:40:59 UTC 2005
Mike Klinke wrote:
> On Thursday 15 December 2005 10:15, Bill Tangren wrote:
>
>
>>Our firewall administer says he does the reverse lookups to
>>prevent/minimize spoofing.
>>
>>My question is, what is SOP for firewall reverse lookups?
>>
>
>
> I'd have to ask the purpose of the web site? If it's for the
> general public or you're bond legally to provide public access then
> reverse look-ups are a bit silly but if the web site is primarily
> for the DOD, and your DOD partners are expected to have reverse DNS
> set up properly, with only peripheral access by the public then
> reverse look-ups may not be a bad idea.
>
> Regards, Mike Klinke
>
Most of it is for the general public. Some is DoD only, but I have that
protected on the server itself. I don't rely on the firewall, seeing as I don't
control it, and I have little faith in his (the firewall administrator's)
knowledge and abilities (he initially told me he wasn't doing ANY DNS lookup,
until I proved otherwise).
The firewall admin feels that its the user's problem if they can't get access.
He won't change his policies. He told me so himself. Loudly.
Meanwhile someone, eventually, will go to their congressman and complain, and it
will by my a** in the sling.
I asked the question to find out if it is considered industry best practice to
do reverse DNS lookup on a firewall. If it is not, I might be able to use that
to bolster my argument that he stop doing so himself, at least on port 80 traffic.
**The irony here is that the reverse lookup for the firewall is screwed up, and
all of our email is bouncing from any server that does reverse dns lookup.
Poetic justice, I guess.**
Thanks for the response.
Bill
More information about the redhat-list
mailing list