Re: Firewalls - Reviewed

From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 06/14/05 

Date: 14 Jun 2005 20:30:10 GMT

In article <1118779778.239818.280350@f14g2000cwb.googlegroups.com>,
neophite <jpbaca02@comcast.net> wrote:
:I'm looking for a solid but fairly priced firewall that will
:specifically allow me to host my own MX record and act as Primary NS
:for my domain. Any suggestions?

Those aren't traditional firewall features -- I can't say that
I've ever encountered a firewall appliance that was also a DNS server.

There are two traditional firewall features that I can think of
may be of interest to you: port forwarding; and DNS address
translation of internal IP addresses to external addresses.

Port forwarding is very common, even in low-end devices that do not
keep track of packet state. For port forwarding, you usually just
go into a simple configuration screen, enter the port number
as known to the outside world, enter the internal IP address you
want the packets forwarded to, and enter the internal port number
on that internal machine (the same as the external port number
much of the time.)

DNS address translation is a convenience. If you have DNS
address translation, then when your internal machines query your
internal DNS server, then they get told the internal IP addresses,
but when external machines query the -same- internal DNS servers,
they get told the external IP address. This allows you to use a single
DNS server for internal and external clients. If you do not have
that feature, then you either need to configure different DNS servers
for internal and external clients, or else you need to configure
a single DNS server to have "split views", in which it specifically
notices where the query is coming from and returns different data
to the different callers [this may require essentially duplicating
records, but at least it doesn't require a second server.]

An example of a firewall that does do DNS address translation
is the Cisco PIX 501. But as I indicated above, with a bit of work
you can get away without having this feature: in that case,
you are just looking for standard firewall functionality, and
the model of the device you buy will depend on your other needs
(e.g., bandwidth shaping, content filtering, virus checking), and
upon your Threat Risk Assessment. 

-- 
  "Never install telephone wiring during a lightning storm." -- Linksys

Relevant Pages

  • Re: Another Newbie asking "Which Anti-Virus Sofware is the Best?"
    ... There's no such thing as a secure system. ... Port Forwarding ... configure essentially opens up a small door in your firewall. ... Inexpensive external router/fw products for the home user market ...
    (alt.comp.anti-virus)
  • Re: Can Not Ping By Name
    ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    (microsoft.public.windowsxp.network_web)
  • RE: ICMP/UDP flood
    ... when it can't resolve an address it then queries the upstream DNS server ... The Source is coming from my firewall box and the ... Destination is a DNS server on the Internet. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • Re: dns server behind a firewall?
    ... > cause I wanted to be sure about the server IP switching. ... Your DNS will be down during switchover ... No. Doublecheck that the DNS server allows queries on all ... >>> firewall and want me to do the job, thats why I m posting again. ...
    (microsoft.public.windows.server.dns)
  • Re: ICS problem between 2 XP instances
    ... >>>being able to ping my default gateway. ... Make sure that a firewall program on FamilyPC isn't blocking pings ... >> DNS Server = your ISP's DNS server ... I do also have Trend Micro PC-Cillin, ...
    (microsoft.public.windowsxp.network_web)