RE: [FW1] domain rule!?

Dave Black Tue, 27 Jun 2000 15:35:04 -0700

One of the primary reasons this is not recommended is performance.  Domain
entries must be resolved by the inspection module via reverse DNS which can
be expensive when it comes to performance.

There is a slight delay while the inspection module resolves the IP via
reverse DNS the first time a rule with a domain object is applied to a
specific IP address.  Once the IP is resolved, it is stored in a local
cache.  So, the delay is only occurring once per IP address per rule.  If
you must you Domain objects, it is recommended that they be placed as far
down in the rulebase as possible for performance optimization.

Dave Black 
Senior Software Engineer 
extendedcare.com 
(847) 790-8629 
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>  
Home Page: http://www.daveblack.net <http://www.daveblack.net> 



> -----Original Message-----
> From: Scheidel, Greg [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 23, 2000 6:44 AM
> To: 'John Stevenson'; 'Little, Craig'; 'Rick Francis';
> [EMAIL PROTECTED]
> Subject: RE: [FW1] domain rule!?
> 
> 
> 
> CheckPoint recommends that domain objects not be used (at 
> least in v4.0, I
> can't speak to other versions.  I do not have specifics on 
> exactly why, but
> to quote them directly:
> 
> "It is recommended to not use "domain" objects for now.  There
> are some known problems that arise when domain objects are used in
> rules.  Instead you can use the URI file to define the sites."
> 
> Somewhat vague, but there it is.
> 
> Greg S.
> 
>  -----Original Message-----
> From:         John Stevenson [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, June 22, 2000 8:15 AM
> To:   'Little, Craig'; 'Rick Francis';
> [EMAIL PROTECTED]
> Subject:      RE: [FW1] domain rule!?
> 
> 
> AWESOME!  Thanks!
> john.
> 
> -----Original Message-----
> From: Little, Craig [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 22, 2000 5:16 AM
> To: Little, Craig; 'Rick Francis';
> [EMAIL PROTECTED]
> Subject: RE: [FW1] domain rule!?
> 
> 
> 
> Well,
> 
> I couldn't help myself. I wrote a simple domain rule, and it worked...
> 
> --------------------------------------
> Src | Dst        | Svc | Action | etc.
> --------------------------------------
> Any | .yahoo.com | any | drop
> --------------------------------------
> 
> Isn't life going to get easier now !!
> 
> Craig/
> 
> -----Original Message-----
> From: Little, Craig 
> Sent: Thursday, June 22, 2000 5:24 PM
> To: 'Rick Francis'; [EMAIL PROTECTED]
> Subject: RE: [FW1] domain rule!?
> 
> 
> 
> I've never used a domain in a rule, but it appears you can do 
> it. If you try
> it, can you keep us posted as to how it goes.
> 
> Create a Network object, type domain and give it a name. e.g. 
> ".fred.com".
> Note the use of the leading (.). Then add a rule to your rule 
> base, and use
> it in your destination.
> 
> This would make the creation and maintenance of Hotlists a 
> piece of cake.
> You could simply ban the .hacker.net network if they give you 
> any bovver. I
> struggled for months when a nasty chap kept using different 
> IP addresses,
> from the same ISP, in his attempts to use our mail relay for 
> his spamming
> activities.
> 
> Craig/
> 
> -----Original Message-----
> From: Rick Francis [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 22, 2000 4:04 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] domain rule!?
> 
> 
> application=fw-1 v4.0
> os=solaris 2.6
> model=ultra
> 
> what needs to be done to allow user access to a domain; a 
> domain that has
> multiple servers and keeps changing the addresses (e.g., yahoo.com)?
> 
> rf
> 
> 
> ==============================================================
> ==============
> ====
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==============
> ====
> 
> 
> ==============================================================
> ==============
> ====
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==============
> ====
> 
> 
> ==============================================================
> ==============
> ====
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==============
> ====
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] domain rule!?

Reply via email to
