BIND and ZoneAlarm

Mark Andrews Mark_Andrews at isc.org
Wed Jul 19 21:30:32 UTC 2006 

> Stefan Puiu wrote:
> > Hi,
> > 
> > On 18 Jul 2006 10:21:06 -0700, Eugen COCA <ecoca at eed.usv.ro> wrote:
> > 
> >>Joseph S D Yao wrote:
> >>
> >>
> >>>It should be possible for any reasonable "personal firewall" IP blocking
> >>>/ filtering software.
> >>
> >>Theoretically speaking YES, practically NO.
> > 
> > 
> > If what you're saying is true, I guess we can infer that ZA is not a
> > reasonable "personal firewall"? :)
> 
> It is not ZA but personal firewall in general what is not reasonable.
> 
> A firewall is not a peace of hardware but a concept. The "real" firewall
> emerges somewhere in the link between boxes.
> 
> A personal firewall is a lack of concept. It is broken by definition.
> 
> A "real" firewall isolates boxes. By capturing one box you still dont
> have access to the other box.
> 
> You dont need to break a personal firewall because you are already the
> box.

	Peter, you make not like on machine firewalls but they are
	firewalls.  They are not "broken by definition".  There are
	just somethings that you don't expect them to be able to
	do like reliably stop unexpected outbound traffic.

	This is no different to choosing a stateful or stateless
	firewall.  You choose a firewall to meet your risk
	assesment.  If you are trying to use the firewall to
	block egress traffic reliably then you need a seperate
	box.  However many of us really don't care about egress
	traffic other than to create state to allow the reply
	traffic to return.
 
	Mark

> > You didn't specify *what* didn't work, at least in your first post.
> > Details are important, I guess specifying the version of BIND used,
> > the version of ZA used wouldn't hurt, plus the things you are trying
> > to achieve... This seems more like a ZoneAlarm question, though, I'm
> > not sure how many people on this list have played with it that much.
> > 
> 
> I have played with windows eXPerimental and CoLinux.
> 
> The relaying of UDP packets between the windows and harware on the one
> side and the CoLinux on the other side is unreliable at best. Putting
> another peace of software in between does not improve it. I guess
> Bind will lose packets. From outside you will see a Bind that does
> not repond to very well.
> 
> > 
> >>BIND does not work with Zonealarm, even if ZA is unloaded (service
> >>stopped). I made numerous tests, on two different systems - secondary
> >>zones are not transferred. On other system, without ZA, BIND works
> >>properly.
> >>
> 
>  From what I have seen with CoLinux it is drivers. They still hang
> arround intercepting packets that other people miss.
> 
> > 
> > 
> > What kind of tests? Last time I used ZA, if you stopped ZA no traffic
> > at all would be let through, IIRC, so that scenario shouldn't be
> > expected to work anyway.
> > 
> > Stefan.
> > 
> 
> 
> -- 
> Peter and Karin Dambier
> Cesidian Root - Radice Cesidiana
> Graeffstrasse 14
> D-64646 Heppenheim
> +49(6252)671-788 (Telekom)
> +49(179)108-3978 (O2 Genion)
> +49(6252)750-308 (VoIP: sipgate.de)
> mail: peter at peter-dambier.de
> mail: peter at echnaton.serveftp.com
> http://iason.site.voila.fr/
> https://sourceforge.net/projects/iason/
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list