Re: FW: DNS ..where to put..DMZ or ...

Tue, 24 Aug 1999 14:19:49 -0700 

On 24 Aug 99, at 9:41, David Watson wrote:

> I'm new with Fire Wall security. My superior seems to know more about it.
> but after this message I have my doubts. 
>
> Can anyone help? 

> -----Original Message-----
> From: XXXXXXXXX
> Sent: Tuesday, August 24, 1999 9:01 AM
> To: David Watson
> Subject: RE: DNS ..where to put..DMZ or ...
>
> My suggestion would be to have PCI's DNS point to things that are going to
> be in the DMZ (ftp and www). Then pointers for everything else should be
> in a DNS behind the firewall. Also, we should have NAT and/or a proxy in
> or behind the firewall/router. Finally, all the internal IP addresses
> should be private (numbers that cannot be forwarded on the Internet) such
> as the 90.0.0.0 to .255 range with a 255.255.255.0 subnet. 

  The use of NAT or proxy is sensible, as is the separation of internal and 
external DNS.

  The one thing that gives me pause is the claim that 90.0.0.x is a range 
that "cannot be forwarded on the Internet".  I've seen this claim made once 
or twice before, but:

(a) This is not one of the non-routable ranges defined by RFC 1918 for this 
purpose.  [Nor is it the "test network" range or the "DNCP link-local" range, 
which should likewise be non-routable.]  I have never found any basis for the 
claim that 90.0.0.x is a valid range to use for this purpose -- and I *have* 
looked.

(b) Originating from a non-routable address doesn't, generally, prevent a 
packet from being *forwarded* (I wish it did!); it means that responses from 
outside the immediate neighborhood can never be routed *back* to that host.
  A dismaying amount of the traffic that reaches my firewall appears to be 
perfectly legitimate, except that it originates from RFC 1918 reserved 
addresses, and so no connection can ever be established.  And that also means 
there's no mechanism by which I can locate the originating host and tell 
their admin *why* their users aren't managing to connect to our service....

  Oh, one other thing:  Please try not to send "rich text" email to Internet 
mailing lists.  The odds that we're all using the same email client as you do 
are not very good, and it REALLY mucks up anyone who reads the list in DIGEST 
form....


David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to