Re: firewall holes for particular machines

[Chris Schenk <Christopher.Schenk () COLORADO EDU>]

Typically I avoid and recommend to others to avoid using any hostnames
in a firewall configuration unless they are in some sort of hosts file
(/etc/hosts, c:\windows\system32\drivers\etc\hosts).  The issue with
using hostnames is that if your firewall is ever misconfigured and
doesn't allow DNS queries, your hostnames won't resolve and your
firewall will be broken.  This does depend on your network
configuration, however, whether or not the DNS server is inside the
firewall, etc.

Chris

On 05/13/2009 08:27 AM, Kevin Shalla wrote:
> I've been working with some people to set up firewall rules to allow
> particular IP addresses.  We're going to be changing many IP addresses
> soon, but keeping the same hostnames for them, so I suggested setting
> the firewall rules to use hostnames instead, so that there would be no
> downtime, and less maintenance the next time IP addresses change.  My
> thinking is that there isn't much security that's added by using IPs
> instead of hostnames, and using hostnames would slightly increase the
> processing needed, but hostnames are more convenient.  Am I missing
> something?

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Schenk
Director of Computing Operations
Department of Computer Science
University of Colorado, Boulder
P:(303)492-5720  F:(303)492-2844
Christopher.Schenk () Colorado EDU
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~