|
Posted by Dawn on July 1, 2004, 10:17 am
If you were Registered and logged in, you could reply and use other advanced thread options
Starting some time in early June, we started getting reports of the
uber annoying "I can't get to xyz webpage". Most of the time, those
are PEBCAK errors, but the complaints keep mounting. When I started
digging in to it, it looks like they are legit. The users were getting
403'd on webpages that they should have access to. It's cross
platform....mickeysoft and sun. So far reports have been for Netscape
Enterprise and again, mickeysoft webservers. The one common thread
that I'm seeing is that it looks like the Denies happen when the https
acl references a DNS query rather than an IP range. So any acl saying
*.gov is good ain't working. But if the class b is there, users are
saling. Reports have been from here in Portland and in
Chicago...totally different networks, different sysadmins, different
DNS servers. Has anyone else been seeing this recently? I dug through
the config file of one of the servers, and everything looks fine. That
particular server is also a email bridge head- if DNS were really
failing on it, about 3000 people be gripping about not getting their
SPAM. Any suggestions?
|
|
Posted by Walter Roberson on July 1, 2004, 6:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
:Starting some time in early June, we started getting reports of the
:uber annoying "I can't get to xyz webpage".
:The one common thread
:that I'm seeing is that it looks like the Denies happen when the https
:acl references a DNS query rather than an IP range. So any acl saying
:*.gov is good ain't working.
You haven't given us any information about what kind of equipment
you are using to impliment the DNS-based ACLs, and we cannot infer
it from your choice of newsgroups.
We -can- infer that you are not using Standard or Extended ACLs
under Cisco IOS or ACLs on a Cisco PIX, as those do not support
acls such as "*.gov". (But you might be using CBAC on Cisco IOS
I guess.)
--
This signature intentionally left... Oh, darn!
|
| Similar Threads | Posted | | Negative permissions WITHOUT ACLs | October 11, 2006, 9:18 am |
| IDS based on neuronal networks | April 19, 2005, 9:46 pm |
| Looking for an authentication software based on RADIUS | January 10, 2006, 10:21 am |
| Chicken and egg issue with Cookie based login? | April 6, 2005, 4:39 am |
| Skype Based Remote Desktop & Netmeeting | January 6, 2006, 2:55 am |
| remote access solution with mobile phone / SMS-based authentication? | December 19, 2005, 4:43 am |
| HPSBUX02074 SSRT051251 - Apache-based Web Server on HP-UX mod_ssl,proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access | November 16, 2005, 7:28 pm |
| HPSBUX02074 SSRT051251 rev.2 - Apache-based Web Server on HP-UX mod_ssl, proxy_http, Remote Execution of Arbitrary Code, Denial of Service (DoS), and Unauthorized Access | March 20, 2006, 9:53 am |
|
XML site map