On 4/27/07, RB <[EMAIL PROTECTED]> wrote:
> Authentication by IP is a bad idea, restricting who can connect in the
> first place and proceed to authentication stage is a further line of
Having been an enterprise firewall admin in the midst of previously
established enterprise firewall admins, th
On Wed 02 May 2007 01:03:20 NZST +1200, sai wrote:
> Everytime a packet comes in that might match the rule, you would have
> to do a DNS lookup. Not a good idea, as this would REALLY screw up the
> latency on your firewall.
No, you misunderstood. The rules are static, but one of them is the
resul
Everytime a packet comes in that might match the rule, you would have
to do a DNS lookup. Not a good idea, as this would REALLY screw up the
latency on your firewall.
Absolutely - it's not without it's detriments. Some of that may be
reduced with a good caching name server, but overall the resp
Everytime a packet comes in that might match the rule, you would have
to do a DNS lookup. Not a good idea, as this would REALLY screw up the
latency on your firewall.
sai
On 4/22/07, Rob Terhaar <[EMAIL PROTECTED]> wrote:
don't think this is possible, or a good idea ether.
On 4/21/07, Volker
My response: if someone is in the position to poison my DNS, they're
already in the position to spoof a trusted IP and likely a whole lot
more.
FWIW, like any good BIND admin, my internal nameserver is pointed at the roots.
-
T
Authentication by IP is a bad idea, restricting who can connect in the
first place and proceed to authentication stage is a further line of
Having been an enterprise firewall admin in the midst of previously
established enterprise firewall admins, the "going wisdom" is that you
always set rules
Thanks for your answers everyone.
On Mon 23 Apr 2007 03:59:00 NZST +1200, Rob Terhaar wrote:
> don't think this is possible, or a good idea ether.
Whether it's a good idea or not depends on what it's being used for.
Authentication by IP is a bad idea, restricting who can connect in the
first pla
On 4/22/07, Josep Pujadas i Jubany <[EMAIL PROTECTED]> wrote:
I asked the same thing some months ago. Developper team (Scott Ullrich) said
is not a good idea to have rules based with name resolution. I agree, it is
very ease to poison/hack name resolution ...
[snip]
http://www.mail-archive.com/
On Sun, 22 Apr 2007 10:59:00 -0500, Rob Terhaar wrote
> don't think this is possible, or a good idea ether.
>
> On 4/21/07, Volker Kuhlmann <[EMAIL PROTECTED]> wrote:
> > What options are there for creating rules with a hostname which resolves
> > to a dynamic IP address? I'd like to allow one hos
don't think this is possible, or a good idea ether.
On 4/21/07, Volker Kuhlmann <[EMAIL PROTECTED]> wrote:
What options are there for creating rules with a hostname which resolves
to a dynamic IP address? I'd like to allow one host access inbound
access on a tcp port, but that host doesn't have
What options are there for creating rules with a hostname which resolves
to a dynamic IP address? I'd like to allow one host access inbound
access on a tcp port, but that host doesn't have a static IP. Unless
there's a magic mechanism I don't know about, at least part of the rules
would have to be
11 matches
Mail list logo
