Link to home
Start Free TrialLog in
Avatar of awakenings
awakenings

asked on

Firewall rule creation - How take into account dynamic DNS?

I need to create PIX ACL's which only work with IP's.  I have a URL that I need to enter.  Of course I can ping or trace route to get the IP , but it doesn't take into account dynamic IP ranges.  One case I am looking at is for setting up WSUS.  I have the URL and pinged for the IP, but I need a range of IP's that could be used for input into the PIX ACL.  Any suggestions?
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of awakenings
awakenings

ASKER

Batry Boy,

    I do NOT want to allow internal access from an outside network.  I want TCP to work it's magic and the "inbound" traffic to be from the outbound request.  The problem is that a range of IP's is required and I have no idea what that range is because they mention URL's.  I try pinging those URL's and can get an IP, but this will not give a good range of IP's to work with.

Awakenings
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Batry Boy,

     I am trying to find a range of IP addresses.  Lets say I have an antivirus server.  I want that antivirus server to get updates on a daily basis so it need to go to specific IPs as firewalls don't do DNS.  The vendors only seem to supply DNS information.  I could do a ping, but that supplies 1 IP.  What if that IP is down?  If I look on Arin and see what range they suggest, it is a HUGE range of addresses.  Well that isn't very secure.  I want 5 IP's (for example) that I can use.  How does one narrow down what range of IP's?

----
    The TCP comment basically explaining what TCP does naturally with stateful firewalls.  If I have an outbound request on TCP port 80, the inbound request from the web server will be let through the stateful firewall (albiet on a different port in this example) to the machine.  TCP is connection oriented and UDP is connectionless.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Batry Boy,

    I am familiar with the process of how antivirus servers work.  I think the critical component you are missing is that I do not allow random internet access for the servers.  It is a very tight environment.  I want to allow access for antivirus for maybe 5 IP addresses and no more (use only allows with the  deny IP any any statement (yes I know it is implicit on PIX)).

Again, because of the nature of stateful firewalls and TCP, I'm not interested in opening inbound access.  Read up on stateful firewalls and that will help.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Batry boy,

     I apologize if I came off as condescending.  The original answer was a 180 degree turn from I was asking.  I then explained the basics of TCP because it seemed to me that you were jumping to vastly different conclusions that were out in left field. You are correct that I should have mentioned outbound filtering.  I'm sorry I didn't make that clear.  My original statement said I was looking for how to narrow down a range of IP's - not the basics of ACL creation.

 ------

    But to answer your question, thanks for the Nslookup tip.  That and ping were my first thoughts, but it doesn't fully deal with the dynamic DNS issue.  I'll leave it up for a few more days, and if no one else has a good response, nudge me and I'll give you points.

Awakenings
Batry Boy,

     No one has answered so I'm going to give you credit for this even though I didn't get the answer I was looking for.  Thanks and again my apologies.
No problem...sorry you didn't get what you were looking for.

See you in the zones!