> Date: Wed, 10 Feb 2010 10:16:18 -0500 > From: Dave Sparro <dspa...@gmail.com> > Sender: bind-users-bounces+oberman=es....@lists.isc.org > > On 2/9/2010 7:28 PM, Mark Andrews wrote: > > In message<4b719346.4020...@arcelormittal.com>, Cedric Lejeune writes: > > > >> In fact, our firewall was doing some kind of traffic shaping (thanks > >> Robert ;): if the number of requests of any type goes above a define > >> number, then block further requests. > >> > > Care to share, with the list, the vendor and model numbers so that > > others will be aware of what to look out for if they have or intend > > purchasing the firewall. > > > > I'd bet that any make/model of firewall can be configured to block or > hinder the very services they are intended to protect.
In general, stateful firewalls in front of servers are simply a DOS vulnerability. They are almost always a bad idea (and the "almost" is debatable). A typical UNIX server is quite capable of handling a DOS load that will cause a stateful FW to close up chop and die. Firewalls are fine for protecting clients, but are of little or no use for protecting servers. Unfortunately, many places have rules mandating firewalls and they are sitting ducks, but I have tried to explain the issue to the security folks who simply say that you MUST have a firewall.A good solution is to simply configure the firewall to act as a stateless device and just pass traffic that was not blocked by the ACL. A real-time black hole server in combination with ACLs is the only good way to protect a server. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
