Agree with all your points. I was just throwing it out there as a possibility. If I were implementing it, I would definitely apply it only to certain ports.
-----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, August 30, 2011 5:13 PM To: NT System Admin Issues Subject: Re: How to determine a host's IP range On Tue, Aug 30, 2011 at 5:49 PM, Crawford, Scott <crawfo...@evangel.edu> wrote: >> From their description, what that does is look up the name to IP >> address(es), and then uses that to drive the firewall rule. Which is >> useful, don't get me wrong, but if the CDN varies the IP address (as >> some of them do), you might not get the desired results. > > On the other hand, if it's doing reverse dns on every ip that hits the > firewall, it could work. I thought of that, but it comes with its own problems: 1. Reverse doesn't have to match forward (or even exist) 2. DNS lookups take time (enough to often cause issues) 3. I think there was a third thing but I can't remember it now #2 is especially bad if you really are looking up *every* address that hits your firewall (as opposed to just certain port #s or whatever). Again, not saying it can't ever work, just that it's complicated. > You're assuming they do that only once at rule creation. Actually I was thinking it would refresh periodically. ;-) I've actually done similar in a Linux-based firewall, where a cron job would fire periodically and re-do certain name lookups, to catch changes in IP address for a given name. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin