Re: Allowing DNS servers to operate behind NetScreen 500

["Ben Nagy" <ben () iagu net>]

----- Original Message -----
From: "David Klein" <dklein () netscreen com>
[...]
> > > By default, Netscreens implement a DNS ALG (Appl Level
> > Gateway) to do just
> > > this.  [...]
> >
> > That doesn't make sense. A proxy doesn't let responses
> > through at all [...]
>
> I didn't say it was a "proxy" nor did I say it was a "classic DNS ALG or
> caching server".  Without launching into a semantics debate, Netscreen
> devices have an internal construct we call a "gate".  This is basically
> special code that gets executed when we need to do more then layer 4
> stateful tracking.  We call these ALG's (not proxies).
[...]
> These are not proxies in the classical sense.  You don't program the
client
> to connect directly to the firewall ala a web proxy or socks paradigm.  We
> don't terminate the client connection acting as the server and we don't
open
> a session to the real server acting as the client.
[...]
> We would call it a real ALG, however, based on your parlance it's probably
> more closer to a UDP plug proxy that knows a few state-like rules.

OK, so we're quibbling over terms. In my brain ALG is synonymous with a
proxy, and a proxy always terminates the TCP/IP connection (or, for UDP, the
firewall acts as the DNS client to the remote server). This can be done
transparently, ala many proxy firewall solutions. _Personally_ I don't think
the term ALG should be mis-used when what we actually have is a smart packet
filter.

Having said that, this is an area of terminology which causes a great deal
of confusion, and is a constant source of thread rehashes on mailing lists.

I understand what your box does, which is the main thing.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards