At 10:09 04/07/01 +0200, Guy Pazi wrote:
>[snip]
>block zone transfers. But it also block the local resolver's ability to
>retrieve long dns replies (over 512b) from external NSs.
the argument behind blocking this is that there seems to be no real
justification for using such long records. So people assume they won't
need tcp (except for zone transfers), and if it fails, life just continues.
>Isn't it sufficient to block incoming tcp connections. This seems to be like
>a simple task in a firewall.
Remember that in the old days, filters were dumb and you then needed to
open too many ports for just a service.
with proxies and dynamic (stateful, fruitful ...) filters (or at least with
filters
that are aware of TCP flags), things changed, but since nothing appeared
to justify changing the rules, the recommendations are still here.
cheers,
mouss
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
