hi,
At 10:01 23.02.2006, you wrote:
Reinhard Stich wrote:
> hi,
>
> I can't recommend working with domain-names because the fw is required
> to do dns-lookups for every IP then - and this makes it slow.
>
> for http you can work with ressources - but this only works for http.
Doesn't http_resoucers do dns-lookups? what's the diference? caches?
ressource looks at HTTP-headers, domain-object in the rulebase looks
into the IP-header over *every* packet, that's a little bit more to
do for the firewall :-)
my solution for that is to have a nslookup-script, that informs me
about IP-changes for some sites and I update the firewall-config then ...
this is ok for 1 or 2 domains, that's nightmare if you have more
domains/URLs to monitor. then it's time to invest into a spezialized
product :-)
cheers
reinhard
--
Reinhard Stich ASSIST R.Stich AT internet-security DOT at
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
