Problems That Aren't the Firewall's Fault

There are several issues that some people think are related to the firewall or think that their firewall should be able to do. This section documents some of these issues that have nothing to do with FireWall-1.

6.35 Some Services Are Slow to Connect

Some services are slow to connect either because the remote server is not able to do a reverse DNS lookup on the IP address you are coming from (it is timing out while looking) or because they are expecting an answer to their query on the ident port. To fix the latter problem, see FAQ 6.36. To fix the former problem, you must ask your DNS administrator to modify the reverse lookup tables so that the IP address you are coming from is resolvable.

6.36 The ident Service

When attempting to use certain services like SMTP or IRC, the server tries to send a communication back to the client on the ident service port. The ident service is typically used to provide identification for certain services. In general, it is not necessary. It is highly recommended that you create a rule that rejects all ident traffic (instead of dropping it) without logging so that services that rely on ident will start faster because they won't wait for the ident connection to time out.

6.37 Different DNS Definitions for Internet and Intranet

When you have different DNS definitions available for internal and external hosts, you want what is commonly referred to as split-horizon DNS.

Your external DNS servers (i.e., the ones responsible for serving DNS queries to the outside world) contain only the bare minimum information?mail exchanger (MX) records, externally accessible hosts, and reverse lookup for your IP space. The internal DNS is a superset of the external DNS server, containing both inside and outside names and IP numbers. Your internal hosts and the firewall use the internal DNS server, which may use the external DNS server as a forwarder to answer requests (i.e., resolve queries for domains outside your own).

Each DNS server should be set up on different systems. Your internal DNS server should be inside your firewall on the internal network. Your external DNS server should be either on the DMZ/service network or outside the firewall entirely (perhaps your ISP manages it). Some firewalls run a DNS server on the firewall itself. You can do this, but most people (myself included) do not recommend this configuration.