Educause Security Discussion mailing list archives
Re: firewall holes for particular machines
From: Chris Schenk <Christopher.Schenk () COLORADO EDU>
Date: Wed, 13 May 2009 08:38:03 -0600
Typically I avoid and recommend to others to avoid using any hostnames in a firewall configuration unless they are in some sort of hosts file (/etc/hosts, c:\windows\system32\drivers\etc\hosts). The issue with using hostnames is that if your firewall is ever misconfigured and doesn't allow DNS queries, your hostnames won't resolve and your firewall will be broken. This does depend on your network configuration, however, whether or not the DNS server is inside the firewall, etc. Chris On 05/13/2009 08:27 AM, Kevin Shalla wrote:
I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Schenk Director of Computing Operations Department of Computer Science University of Colorado, Boulder P:(303)492-5720 F:(303)492-2844 Christopher.Schenk () Colorado EDU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- firewall holes for particular machines Kevin Shalla (May 13)
- <Possible follow-ups>
- Re: firewall holes for particular machines Chris Schenk (May 13)
- Re: firewall holes for particular machines Brian Kaye (May 13)
- Re: firewall holes for particular machines Di Fabio, Andrea (May 13)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
(Thread continues...)