Firewall Wizards mailing list archives
Re: Allowing DNS servers to operate behind NetScreen 500
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 4 Feb 2003 17:48:44 +0100
----- Original Message ----- From: "David Klein" <dklein () netscreen com> [...]
By default, Netscreens implement a DNS ALG (Appl LevelGateway) to do justthis. [...]That doesn't make sense. A proxy doesn't let responses through at all [...]I didn't say it was a "proxy" nor did I say it was a "classic DNS ALG or caching server". Without launching into a semantics debate, Netscreen devices have an internal construct we call a "gate". This is basically special code that gets executed when we need to do more then layer 4 stateful tracking. We call these ALG's (not proxies).
[...]
These are not proxies in the classical sense. You don't program the
client
to connect directly to the firewall ala a web proxy or socks paradigm. We don't terminate the client connection acting as the server and we don't
open
a session to the real server acting as the client.
[...]
We would call it a real ALG, however, based on your parlance it's probably more closer to a UDP plug proxy that knows a few state-like rules.
OK, so we're quibbling over terms. In my brain ALG is synonymous with a proxy, and a proxy always terminates the TCP/IP connection (or, for UDP, the firewall acts as the DNS client to the remote server). This can be done transparently, ala many proxy firewall solutions. _Personally_ I don't think the term ALG should be mis-used when what we actually have is a smart packet filter. Having said that, this is an area of terminology which causes a great deal of confusion, and is a constant source of thread rehashes on mailing lists. I understand what your box does, which is the main thing. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Allowing DNS servers to operate behind NetScreen 500 Gebhart, Glenn (Feb 03)
- <Possible follow-ups>
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 03)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 13)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 David Klein (Feb 04)
- Re: Allowing DNS servers to operate behind NetScreen 500 Ben Nagy (Feb 04)
- RE: Allowing DNS servers to operate behind NetScreen 500 Reckhard, Tobias (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)
- Re: Allowing DNS servers to operate behind NetScreen 500 tqbf (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Paul D. Robertson (Feb 15)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 15)
- Re: DNS vs. Bernstein tqbf (Feb 15)
- Re: DNS and Firewalls Rob Payne (Feb 20)
- Re: DNS Extensions and Firewalls Thomas H. Ptacek (Feb 21)
- Re: DNS Extensions and Firewalls Frank Knobbe (Feb 22)
- Re: Allowing DNS servers to operate behind NetScreen 500 Rob Payne (Feb 14)