Mike Klinke wrote:
On Thursday 15 December 2005 10:15, Bill Tangren wrote:
Our firewall administer says he does the reverse lookups to
prevent/minimize spoofing.
My question is, what is SOP for firewall reverse lookups?
I'd have to ask the purpose of the web site? If it's for the
general public or you're bond legally to provide public access then
reverse look-ups are a bit silly but if the web site is primarily
for the DOD, and your DOD partners are expected to have reverse DNS
set up properly, with only peripheral access by the public then
reverse look-ups may not be a bad idea.
Regards, Mike Klinke
Most of it is for the general public. Some is DoD only, but I have that
protected on the server itself. I don't rely on the firewall, seeing as I don't
control it, and I have little faith in his (the firewall administrator's)
knowledge and abilities (he initially told me he wasn't doing ANY DNS lookup,
until I proved otherwise).
The firewall admin feels that its the user's problem if they can't get access.
He won't change his policies. He told me so himself. Loudly.
Meanwhile someone, eventually, will go to their congressman and complain, and it
will by my a** in the sling.
I asked the question to find out if it is considered industry best practice to
do reverse DNS lookup on a firewall. If it is not, I might be able to use that
to bolster my argument that he stop doing so himself, at least on port 80 traffic.
**The irony here is that the reverse lookup for the firewall is screwed up, and
all of our email is bouncing from any server that does reverse dns lookup.
Poetic justice, I guess.**
Thanks for the response.
Bill
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
